You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Bárbara Vieira <ba...@di.uminho.pt> on 2007/11/03 23:18:28 UTC

SSL session is the same HTTP session and is the same Servlet session

 

 

This question is about Tomcat’s architecture. 

When a connection HTTP over SSL(HTTP) is established, Tomcat encapsulates
this connection in an object – CoyoteConnector.  After that, this object is
transformed in another objects,  until it is encapsulated in a HttpRequest
object. When the connection is encapsulated on a HttpRequest/
HttpServletRequest, what’s happen?!

My question is about SSL session that is established,  about HTTP session
that is in the higher layer, and about session available on Servlet. I want
to know  if the SSL session is the same HTTP session and is the same Servlet
session.   

 

My concern is about keeping a secure session, even if the SSL session is
broken. Ie, suppose the following situation:

-           An HTTPS connection is established and a HttpServlet session is
created – the user is authenticated by a certificate(mutual authentication)


-          I turn off the network – the SSL session is broken(I suppose that
is what’s happen)

-          When I  turn on the network, the user is authenticated because
the session on server didn’t end(there wasn’t a timeout yet)

 

This is a big problem. How can I control this?!

 

Thanks,

Bárbara Vieira

Re: SSL session is the same HTTP session and is the same Servlet session

Posted by Bill Barker <wb...@wilshire.com>.
>"B�rbara Vieira" <ba...@di.uminho.pt> wrote in message 
>news:003501c81e67$75f870e0$61e952a0$@uminho.pt...
>
>
>
>
>This question is about Tomcat's architecture.
>
>When a connection HTTP over SSL(HTTP) is established, Tomcat encapsulates
>this connection in an object - CoyoteConnector.  After that, this object is
>transformed in another objects,  until it is encapsulated in a HttpRequest
>object. When the connection is encapsulated on a HttpRequest/
>HttpServletRequest, what's happen?!
>
>My question is about SSL session that is established,  about HTTP session
>that is in the higher layer, and about session available on Servlet. I want
>to know  if the SSL session is the same HTTP session and is the same 
>Servlet
>session.
>

No, the SSL session and the HTTP session are completely different and 
unrelated.  It is possible to get the SSL session ID via the request 
attribute "javax.servlet.request.ssl_session" (this is a Tomcat specific 
feature, so is not portable).  You can use that in a Filter to link the HTTP 
session to the SSL session, but that's about it.
>
>
>My concern is about keeping a secure session, even if the SSL session is
>broken. Ie, suppose the following situation:
>
>-           An HTTPS connection is established and a HttpServlet session is
>created - the user is authenticated by a certificate(mutual authentication)
>
>
>-          I turn off the network - the SSL session is broken(I suppose 
>that
>is what's happen)
>
>-          When I  turn on the network, the user is authenticated because
>the session on server didn't end(there wasn't a timeout yet)
>
>

This is normal, the browser will ask to rejoin its former SSL session and 
Tomcat will see no reason why not.  And even if there was a new SSL session, 
most browsers will treat CLIENT-CERT auth liike BASIC, and quietly resend 
the previously selected cert without prompting the user again.

>
>This is a big problem. How can I control this?!
>


Thanks,

B�rbara Vieira





---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org