Domino-issued cookies for session-based authentication and single sign-on (SSO)
This document contains information about the cookies generated by a Lotus Domino server when you enable session-based authentication.
What are the options for session-based authentication?
You can enable session-based authentication, as opposed to basic name-and-password authentication, for a single server or multiple servers. This feature for a single server is commonly referred to as session-based authentication. To enable it, you set the Session Authentication field to "Single Server."
Session-based authentication for multiple servers is commonly referred to as single sign-on (SSO). This feature was introduced in Domino 5.0.5. To enable it, you set the Session Authentication field to "Multiple servers" and create a Web SSO Configuration document.
Enabling session authentication allows you these advantages:
- You can avoid realm problems that cause users to be prompted repeatedly for user name and password.
- You can track user sessions using a console command.
- Users can log off a session by appending "?logout" to a URL; they do not have to exit the browser to end a session.
- You can customize the log-in screen.
- With SSO, Web users can log on once to a Domino or WebSphere server, then access any other Domino or WebSphere server in the same DNS domain that are enabled for SSO without logging on again.
What cookie is created?
When a Web browser user provides credentials (user name and password), the server issues a cookie to the browser. For session-based authentication on a single server the cookie contains a session ID. The cookie name is DomAuthSessID. By default, the cookie expires after 30 minutes of inactivity. You specify this setting in the "Idle session timeout" field in the Server document.
With SSO, the server generates an authentication token that is transported to the browser in a cookie. For SSO, the cookie name is LtpaToken. You set the expiration using the Token Expiration field in the Web SSO document, and in certain releases an Idle Session Timeout. The cookie used for Single Sign-On stores the full Distinguished Name (DN) of the user, as in the following example:
cn=john smith,ou=sales, o=ibm, c=us
URLs issued to servers configured for single sign-on must specify the full DNS server name, not just the host name or IP address. For browsers to be able to send cookies to a group of servers, the DNS domain must be included in the cookie.
Tracking information about users and cookies
The Domino server console command "Tell HTTP Show Users" may be used for tracking and displaying user sessions.
Web browser users can enter the following command as a URL or Web address to see the cookies currently in memory:
Viewing the cookie as it exists in the browser can be a useful troubleshooting step, because you can verify the correct cookie name was set.
You can find more information about session-based authentication, and links to setup steps, in the Domino Administrator Help topic "Session-based name-and-password authentication for Web clients."
More support for:
Lotus End of Support Products
Software version: 5.0, 6.0, 6.5, 7.0
Operating system(s): AIX, IBM i, Linux, Solaris, Windows
Reference #: 7003558
Modified date: 16 September 2005