Termination of single user sessions

Edit online

An administrator or a back-end application can use the Verify Identity Access administration API to terminate a specific user session based on the user session ID.

See User session ID string format to review the structure of the user session ID string.

Note: The pdadmin server task terminate session command is supported in a distributed session cache environment.

The user_session_id portion of the user session ID string can be passed to the ivadmin_server_performtask() function. This function takes an input command string from the standard pdadmin server task terminate session command. For example:

pdadmin> server task instance-Reverse Proxyd-host terminate session user_session_id

The Reverse Proxy instance name can be obtained from the HTTP iv_server_name header passed in every request.

Note: Although you can manually perform this pdadmin operation, the long value of the user_session_id can make this task cumbersome.

Reverse Proxy verifies that the back-end server initiating the terminate operation has appropriate permissions before terminating the user's session. Reverse Proxy then removes the corresponding session cache entry so that the session is terminated.

It is important to consider the conditions under which this command might be used. If the intent is to make sure that a user is removed from the secure domain entirely, the termination of a single user is only effective when, in addition, the account for that user is also made not valid (removed).

Certain authentication methods—such as basic authentication, client-side certificate, LTPA cookies and failover cookies—return cached authentication information automatically with no user intervention. The pdadmin server task terminate session action would not prevent return logins for a user using any of those authentication methods. You must additionally invalidate the appropriate user account in the registry.

Refer to the Administration C API Developer Reference for further information and for ivadmin_server_performtask() syntax.

When a user is logged out unexpectedly because of session termination, the original session cookie remaining on the user's browser becomes an old, or "stale" cookie that no longer maps to an existing entry in the Reverse Proxy session cache. When the user makes a subsequent request for a protected object, Reverse Proxy requires authentication and returns a login form. You can customize the login response to contain additional information that explains the reason for the new login requirement. For further information on this feature, see Customized responses for old session cookies.