Furthermore, you have two selections for enabling session-based authentication -- single and multi-server selections. The single server option causes the server to generate a cookie that is honored only by the server that generated it, while the multi-server option generates a cookie that allows single sign-on with any server that shares the Web SSO configuration document.
To use session-based authentication, Web clients must use a browser that supports cookies. Domino uses cookies to track user sessions.
Features of session-based name-and-password authentication
Name-and-password authentication sends the client's name and unencrypted password, and is sent with each request to the server. Session-based authentication differs in that the client's name and encrypted password is stored in a cookie on the workstation. That information is sent over the network only the first time the user logs in to a server, not each time a request is posted. Using session-based name-and-password authentication provides greater control over user interaction than basic name-and-password authentication. For example, you can customize the form in which users enter their name and password information. It also allows users to log out of the session without closing the browser.
Customized HTML log-in form
An HTML log-in form allows a user to enter a name and password and then use that name and password for the entire user session. The browser sends the name and password to the server using the server’s character set. For HTTP session authentication, a user can enter a name, using any printable characters in Unicode. The user password, however, must be entered in any printable characters in US-ASCII.
Note Printable characters excludes control characters.
Domino provides a default HTML form -- ($$LoginUserForm), which is provided and configured in the Domino Configuration database (DOMCFG.NSF). You can customize the form or create your own to contain additional information.
Default logout time period
You can specify a default logout time period to log the Web client off the server after a specified period of inactivity. This forces the cookie that Domino uses to track the user session to expire. Automatically logging a user off the server prevents others from using the Web client to impersonate a user if the user leaves the workstation before logging off. If you enable session-based name-and-password authentication for a server, users can also append ?logout at the end of a URL to log off a session -- for example, http://acmeserver/sessions.nsf?logout.
You can also redirect the logout to a design element or URL. For example:
http://acmeserver/sessions.nsf?logout&redirectto=http://www.sales.com
Maximum user sessions
You can specify the maximum number of concurrent user sessions allowed on the server for single-server session-based authentication only. If server performance is slow, you can reduce this number.
Internet password management
Domino 6 provides features for managing Internet passwords for session-based authentication.
Multi-server session-based authentication
Multi-server session-based authentication, also known as single sign-on, allows Domino cookies to span servers. It also allows Domino and Websphere servers to interoperate and share cookies.
Note If your servers are set up for round-robin DNS, you should use the multi-server (or single sign-on) option for session-based name-and-password authentication. Servers cannot store the session information in memory when using round-robin DNS with the single server cookie. In addition, if a server is restarted or crashes, session information is lost, and then users must re-enter their names and passwords. This will not occur with the multi-server session authentication option.
See also