Session invalidation

Session invalidation ensures that site user sessions are terminated by WebSphere Commerce when specific security-related events or actions take place. Invalidation of stale or maliciously controlled sessions in the context of these events ensures that they cannot be used to interact with the site in the context of the previously verified and active site user. Session invalidation was enhanced in WebSphere Commerce version 8.0.4.26.

Session invalidation scenarios

The following table outlines the scenarios that will lead to session invalidation, and any differences in site behavior with the multiple logon feature enabled, or disabled.

For more information on the multiple logon feature, see Enabling multiple logon support for the same user.

Scenario Behavior with multiple logon enabled Behavior with multiple logon disabled
User session times out Ends timed out session. Ends the session.
User logoff
  • Ends only the session in which the user expressly logged off.
  • WebSphere Commerce Version 8.0.4.26 or laterThe optional parameter, terminateAllSessions can be set to true to end all active sessions.
Ends the session.
User updates their password while authenticated
  • Does not end the current session where the password update was requested.
  • WebSphere Commerce Version 8.0.4.26 or laterEnds all other active sessions, and force a login to continue with any actions.
Does not end the current session where the password update was requested.
WebSphere Commerce Version 8.0.4.26 or laterUser requests a password reset from the storefront Ends all active sessions, and requires a login to continue with any actions. Ends any active session, and requires a login to continue with any actions.
WebSphere Commerce Version 8.0.4.26 or laterSite administrator or customer support representative resets a user password from the storefront or WebSphere Commerce Accelerator Ends all active sessions, and requires a login to continue with any actions. Ends any active session, and requires a login to continue with any actions.
User or malicious impersonator fails maximum number of logon attempts
  • Prior to 8.0.4.24, the user account is disabled and requires a site administrator or customer support representative to enable it. No sessions are invalidated.
  • WebSphere Commerce Version 8.0.4.24 or laterThe user is locked out and must reset their password.
  • Prior to 8.0.4.24, the user account is disabled and requires a site administrator or customer support representative to enable it. No sessions are invalidated.
  • WebSphere Commerce Version 8.0.4.24 or laterThe user is locked out and must reset their password.
User is disabled by a site administrator via WebSphere Commerce Accelerator
  • User account is disabled. Future logon attempts are prevented. Any active sessions are not invalidated.
  • WebSphere Commerce Version 8.0.4.26 or laterUser account is disabled. Future logon attempts are prevented. Ends all active sessions.
  • User account is disabled. Future logon attempts are prevented. Any active sessions are not invalidated.
  • WebSphere Commerce Version 8.0.4.26 or laterUser account is disabled. Future logon attempts are prevented. Ends any active session.