Domino: Authentication Modes Supported

  • Updated

Riva supports the following two primary authentication modes available to Domino:

  1. Standard HTTP Authentication
  2. Session-based Forms Authentication
Notice! It is always highly recommended that all communication be HTTPS (SSL) encrypted. This will ensure that when credentials are exchanged between Riva and Domino, passwords are always encrypted.


Below is an excerpt from the Domino Administrator guide,

Name-and-password authentication, also known as basic password authentication, uses a basic challenge/response protocol to ask users for their names and passwords and then verifies the accuracy of the passwords by checking them against a secure hash of the password stored in Person documents in the IBM® Lotus® Domino(TM) Directory.


Standard HTTP Authentication

A common internet standard is HTTP authentication.

With Domino, this authentication method requires that every request including subsequent requests include the complete HTTP authentication header. This header includes the username and password.


  1. Not affected by session timeouts.
  2. No need for applications to keep session states.
  3. Low server memory consumption.
  4. Easily scales for distributed load.


  1. For every request, the credentials are included in the HTTP headers.

Session-Based Forms Authentication

This is a common authentication process. Users are prompted with a web-based form for their credentials when they first access a password-protected section of the site.

With Domino, this authentication method requires that session-based form authentication be enabled.


  1. The credentials are exchanged once at the beginning of the session.
  2. The session can be used until an inactivity timeout or session reset.
  3. Used to enable single sign-on or enable gated authentication.


  1. Applications must store and manage session states, including re-authentication.
  2. Higher server memory usage, because the session state must be maintained.
  3. Session timeout requires applications to re-authenticate after timeout.
  4. More complicated scaling to distribute loads in a multi-server environment.
  5. Uses HTTP cookies to maintain sessions that must be kept by the application.

Was this article helpful?




Article is closed for comments.