Using DSAPI for authentication

R5..the scenario follows:

A custom DSAPI filter has been written to authenticate users by encrypting a querystring or cookie value. As long as session authentication is turned off on the server, everything works fine. As soon as session authentication is turned on, the user is prompted to login with username and password. Is there a way to make session authentication "accept" a user that has been authenticated by a DSAPI filter?

Here is an answer to your question, courtesy of Daniel Nashed (

I have a coded test DSAPI filter here to simulate different kind of events and looked into some details. Some stuff was interesting to see because I never looked into this aspect before. DSAPI is a very strange beast and people have to be very carefully to use this for authentication. I hope the following answer gives the guy asking a basic idea of the solution.

Normally authenticating a user and having a session are two different things. When the user is not yet authenticated the DSAPI event to authenticate the user is called. If the user is already authenticated via DSAPI or via normal password in the authentication event the "found in cache" property normally returns true and you can leave the event. But this has nothing to do with session based or basic authentication. Even for session based authentication it can happen that found in cache is not true -- even you have a session cookie! That's interesting and I did not check this before.

For basic authentication you get the user/password unencrypted (only BASE64 coded) for each request. For session based authentication the user/password comes from the cookie. In both cases they can be used to re-authenticate the user via the filter in the authentication even if needed. So there is not much difference between basic authentication and session based authentication. It depends on the coding in the authentication event.

When you authenticate the user by reading a customized cookie or URL string Domino will still use the session cookie later on. If you don't use session based authentication you have to make sure that you have that cookie or URL string present for each request. For the customized cookie this is easy but for the URL you have to rewrite them for each request.

This stuff is quite complex and a more detailed answer would need a very detailed question. I hope this gives a basic idea what to check.

Dig Deeper on Lotus Notes Domino Administration Tools

  • Favorite iSeries cheat sheets

    Here you'll find a collection of valuable cheat sheets gathered from across the iSeries/ community. These cheat ...