Changes

Using session tokens, when the user logs out, the client sends a logout request to the server. The token is discarded the removed from LDAP by the server and the client. However, if anyone keeps hold of discards the token, further API requests are still possible using said token until the token expires. In other words Special cases: a "log out" procedure doesn't really exist and can't be implemented properly. On * If the internetuser's password is changed, most people mention a "revocation list" or a "black list" containing all session tokens which have been revokedmust be removed from LDAP in order to force the user to re-login. This makes * If any attributes are changed which control the API statefuluser's affiliation (reseller, because this token list company, etc), all session tokens must be stored somewhereremoved from LDAP in order to force the user to re-login. *: Specific attributes:** sstBelongsToResellerUID** sstBelongsToCustomerUID** sstEmployeeOfUID** sstEmployeeOfUID In our case, we store the session tokens in a leaf beneath the person (as these tokens are personal).