SECURING


Session-based name-and-password authentication for Web clients

To set up name-and-password authentication for Web clients who have access to a Domino® Web server, you can use one of two methods: basic name-and-password authentication or session-based name-and-password authentication. Session-based name-and-password authentication includes additional functionality that is not available with basic name-and-password authentication. A session is defined as the time during which a Web client is actively logged onto a server with a cookie. To specify settings that enable and control session authentication, you edit the Web Site document or the Server document, depending on your configuration.

Furthermore, you have two selections for enabling session-based authentication -- single and multi-server selections. The single server option causes the server to generate a cookie that is honored only by the server that generated it, while the multi-server option generates a cookie that allows single sign-on with any server that shares the Web SSO configuration document.

To use session-based authentication, Web clients must use a browser that supports cookies. Domino uses cookies to track user sessions.

Features of session-based name-and-password authentication

Name-and-password authentication sends the client's name and unencrypted password, and is sent with each request to the server. Session-based authentication differs in that the user's name and password information is sent over the network only the first time the user logs in to a server, not each time a request is posted. After login, the user's name and logon information is stored in a cookie in the user's browser, and the browser sends the cookie to the server with each request. Before honoring a request, the server verifies the information in the cookie and uses the cookie contents to identify the logged-in user. The session is only valid within the browser in which the login was performed. If the user shuts down the browser in which the session login took place, the user's session will be ended and the cookie will be destroyed.

Using session-based name-and-password authentication provides greater control over user interaction than basic name-and-password authentication. For example, you can customize the form in which users enter their name and password information. It also allows users to log out of the session without closing the browser.

Customized HTML log-in form

An HTML log-in form allows a user to enter a name and password and then use that name and password for the entire user session. The browser sends the name and password to the server using the server's character set. For HTTP session authentication, a user can enter a name, using any printable characters in Unicode. The user password, however, must be entered in any printable characters in US-ASCII.

Note: Printable characters excludes control characters.

Domino provides a default HTML form -- ($$LoginUserForm), which is provided and configured in the Domino Configuration database (DOMCFG.NSF). You can customize the form or create your own to contain additional information.

Idle session timeout

You can specify a default logout time period to log the Web client off the server after a specified period of inactivity. This forces the cookie that Domino uses to track the user session to expire. Automatically logging a user off the server prevents others from using the Web client to impersonate a user if the user leaves the workstation before logging off. If you enable session-based name-and-password authentication for a server, users can also append ?logout at the end of a URL to log off a session -- for example, http://renovationsserver/sessions.nsf?logout.

You can also redirect the logout to a design element or URL. For example:

http://renovationsserver/sessions.nsf?logout&redirectto=/logoutDB.nsf/logoutApp?OpenPage

http://renovationsserver/sessions.nsf?logout&redirectto=http://www.sales.com

You can build this expression into an application -- for example, using it in a button -- or type it in as a URL.

Maximum user sessions

You can specify the maximum number of concurrent user sessions allowed on the server for single-server session-based authentication only. If server performance is slow, you can reduce this number.

Internet password management

You can also manage Internet passwords for session-based authentication through policy documents and custom password policies.

Multi-server session-based authentication

Multi-server session-based authentication, also known as single sign-on, allows Domino cookies to span servers. It also allows Domino and Websphere servers to interoperate and share cookies.

Note: If your servers are set up for round-robin DNS, you should use the multi-server (or single sign-on) option for session-based name-and-password authentication. Servers cannot store the session information in memory when using round-robin DNS with the single server cookie. In addition, if a server is restarted or crashes, then session information is lost, and users must re-enter their names and passwords. In the multi-server session setting, the session cookie might still be valid when a server is restarted (if the cookie has not yet expired). However, the user must continue to access the server from the same browser window in which the user's logon was performed.

Related concepts
Understanding Internet site documents on Domino servers
Name-and-password authentication for Internet/intranet clients

Related tasks
Hosting Web sites
Configuring a database ACL
Multi-server session-based authentication (single sign-on)
Customizing the HTML log-in form
Setting up session-based name-and-password authentication