By Date:	<-- -->
By Thread:	<-- -->

Invalidate SSL-session

From: "Gert-Jan Kreeft" <gjkreeft (at) hotmail.com>
Date: Tue, 20 Jun 2006 13:59:00 +0200

I am using Tomcat 5.5 in combination with a HTTP-connector that is configured with TLS and client-authentication. Users log in to my web application with a client certificate from a smartcard.

When users try to log out, the HTTP-session is invalidated but the SSL-session key remains valid for quite a while, enabling users to simply go back to the application even after they have removed the smartcard.

I have looked for a way to invalidate the SSL-session when a user logs off but nothing seems to work. The SSL session key is availllable in the request (javax.servlet.request.ssl_session) but I can't find a way to access the corresponding SSL-session programatically. The SSLSessionContext has a method to get a particular session based on the session-id, but that doesn't seem work.

Is there some other way to invalidate the SSL-session from my web application?

Gert-Jan

_________________________________________________________________
Eindeloos zoeken naar dat ene document is nu voorbij!  http://desktop.msn.nl


---------------------------------------------------------------------
To start a new topic, e-mail: users (at) tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe (at) tomcat.apache.org
For additional commands, e-mail: users-help (at) tomcat.apache.org

Prev by Date: Tomcat 5.5.17 APR/SSL Client Certificat
Next by Date: Problem to download a file from 2 browsers at the time
Previous by thread: Activating a batch file when Tomcat service is started
Next by thread: Why has Tomcat Undeployed my Applications?
Index(es):
- Main
- Thread