Session invalidation
Session invalidation ensures that site user sessions are terminated by WebSphere Commerce when specific security-related events or actions take place. Invalidation of stale or
maliciously controlled sessions in the context of these events ensures that they cannot be used to
interact with the site in the context of the previously verified and active site user.
Session invalidation was enhanced in WebSphere Commerce version 8.0.4.26.
Session invalidation scenarios
The following table outlines the scenarios that will lead to session invalidation, and any differences in site behavior with the multiple logon feature enabled, or disabled.
For more information on the multiple logon feature, see Enabling multiple logon support for the same user.
| Scenario | Behavior with multiple logon enabled | Behavior with multiple logon disabled |
|---|---|---|
| User session times out | Ends timed out session. | Ends the session. |
| User logoff |
|
Ends the session. |
| User updates their password while authenticated |
|
Does not end the current session where the password update was requested. |
 User requests a password reset from the storefront |
Ends all active sessions, and requires a login to continue with any actions. | Ends any active session, and requires a login to continue with any actions. |
| Site administrator or customer support representative resets a user
password from the storefront or WebSphere Commerce Accelerator |
Ends all active sessions, and requires a login to continue with any actions. | Ends any active session, and requires a login to continue with any actions. |
| User or malicious impersonator fails maximum number of logon attempts |
|
|
| User is disabled by a site administrator via WebSphere Commerce Accelerator |
|
|
The user is locked out and must reset their password.