You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Andreas Persson <an...@idainfront.se> on 2006/01/04 15:02:59 UTC

Invalidate the SSLSession?

Hi,

I'm trying to implement a feature that I think is missing, but I'm feeling pretty lost in the Tomcat sources. When SSL client authentication is used, I would like to be able to logout the user. I think this means that I need to call invalidate() on the SSLSession (I'm using the JSSE implementation). But, the SSLSession or SSLSocket is not available for the servlet code.

Does anyone have some hints on how this could be solved? Should I try to make the SSLSession available in a request parameter, or should the invalidate method call in some way be placed inside the server code?

/Andreas


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Invalidate the SSLSession?

Posted by Armin Häberling <ar...@student.ethz.ch>.

Hi,

I think calling SSLSession.invalidate() will not suffice to logout the 
user. Because calling invalidate() will only prevent the client to open 
a new SSL-connection using the the same session, but has no influence on 
existing ssl-connections using that session. That means the user is not 
logged out until all connections using that session are closed.
See also the java api: 
http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/SSLSession.html#invalidate()

Armin

Andreas Persson wrote:
> Hi,
> 
> I'm trying to implement a feature that I think is missing, but I'm
> feeling pretty lost in the Tomcat sources. When SSL client
> authentication is used, I would like to be able to logout the user. I
> think this means that I need to call invalidate() on the SSLSession
> (I'm using the JSSE implementation). But, the SSLSession or SSLSocket
> is not available for the servlet code.
> 
> Does anyone have some hints on how this could be solved? Should I try
> to make the SSLSession available in a request parameter, or should
> the invalidate method call in some way be placed inside the server
> code?
> 
> /Andreas
> 
> 
> ---------------------------------------------------------------------
>  To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
> additional commands, e-mail: dev-help@tomcat.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org