You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jürgen Jakobitsch <j....@semantic-web.at> on 2011/09/06 21:44:15 UTC
SSLSession invalidate
hi, i'm pretty sure, this question
has been asked a thouthand times, but
i didn't find an answer :
how can access the SSLSession in a jsp or a servlet
to be able to invalidate it.
any pointer really appreciated
wkr www.turnguard.com/turnguard
--
| Jürgen Jakobitsch,
| Software Developer
| Semantic Web Company GmbH
| Mariahilfer Straße 70 / Neubaugasse 1, Top 8
| A - 1070 Wien, Austria
| Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
COMPANY INFORMATION
| http://www.semantic-web.at/
PERSONAL INFORMATION
| web : http://www.turnguard.com
| foaf : http://www.turnguard.com/turnguard
| skype : jakobitsch-punkt
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSLSession invalidate
Posted by Henry Story <he...@bblfish.net>.
On 15 Sep 2011, at 23:30, Peter wrote:
> A connection is streaming a video, when you "logout" of it's session.
>
> What happens?
I have not tried it. I'll put up some code in Java so you can try it out soon.
>
> The browser caches img files retrived from on the same server path as the application to which then one sends an ssl "logout signal". A browser plugin references the https uri of the image.
>
> Does the cache release the image, collected over a session that is now closed?
>
> Sent from my iPhone
>
> On Sep 15, 2011, at 1:23 AM, Henry Story <he...@bblfish.net> wrote:
>
>> You can break TLS sessions once you have the session_id. I tried this in Clerezza (an apache incubator project) to see if I could get something like a logout functionality to work. I even tried to see if breaking a connection and throwing one of the exceptions that TLS defines would force the browser to ask the user for another certificate, but it does not work - or only quite randomly in most browsers.
>>
>> https://github.com/bblfish/clerezza/blob/bblfish/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/ssl/X509TrustManagerWrapperService.scala
>>
>> I think it is a bug that they don't react properly to the defined exceptions being thrown.
>>
>> What does work for Firefox and I think IE (Not tested yet, please let me know) is the following javascript logout:
>>
>> function logout(elem) {
>> if (document.all == null) {
>> if (window.crypto) {
>> try{
>> window.crypto.logout();
>> return false; //firefox ok -- no need to follow the link
>> } catch (err) {//Safari, Opera, Chrome -- try with tis session breaking
>> }
>> } else { //also try with session breaking
>> }
>> } else { // MSIE 6+
>> document.execCommand('ClearAuthenticationCache');
>> return false;
>> };
>> return true
>> }
>>
>> function login(elem) { logout(elem) }
>>
>> -----
>>
>> Then you can just put the following html in your page
>>
>> <a href={"/user/joe/control-panel"}>Joe</a>|<a href="/logout" onclick="return logout();">logout</a>
>>
>> I have added this to the foaf+ssl (WebID protocol) wiki
>> http://www.w3.org/wiki/Foaf%2Bssl/HOWTO#HOWTO_logout
>>
>> Henry
>>
>> On 7 Sep 2011, at 00:29, Adamus, Steven J. wrote:
>>
>>> Don't assume your SSL session or connection hasn't been invalidated just because you aren't asked to choose a certificate from your browser certs when you log in again. In our system (Tomcat 5.5.33), I know that our HTTP session and Single Sign-on session are invalidated upon logout, and we see similar behavior (no need to select certificate) upon re-login because the browser caches the user's certificate choice (and smart card PIN). Is your session ID the same when you go back in?
>>>
>>> If you are using IE and you want to clear the browser cache to select another certificate, go to Tools->Internet Options, select Content tab, and click Clear SSL state.
>>>
>>> -----Original Message-----
>>> From: users-return-227483-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org [mailto:users-return-227483-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org] On Behalf Of Jürgen Jakobitsch
>>> Sent: Tuesday, September 06, 2011 3:12 PM
>>> To: Tomcat Users List
>>> Subject: Re: SSLSession invalidate
>>>
>>> thanks mark,
>>>
>>> if i understand you correct, it is simply NOT possible to invalidate the SSLSession of which i can get the id with request.getAttribute("javax.servlet.request.ssl_session")
>>> (it works with this key in 6.0.32)
>>>
>>> wkr turnguard
>>>
>>> ----- Original Message -----
>>> From: "Mark Thomas" <ma...@apache.org>
>>> To: "Tomcat Users List" <us...@tomcat.apache.org>
>>> Sent: Wednesday, September 7, 2011 12:08:29 AM
>>> Subject: Re: SSLSession invalidate
>>>
>>> On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
>>>> apparently there is one, i can get it's id with
>>>> request.getAttribute("javax.servlet.request.ssl_session")
>>>
>>> That is a Tomcat bug it should be javax.servlet.request.ssl_session_id
>>>
>>>> in tomcat7 there's the possibility to use SSLSessionManager to
>>>> invalidate SSLSession, so i'm doing a wild guess, that something similar has to be possible with tomcat6 as well.
>>>
>>> Your wild guess is wrong. That feature is in Tomcat 7 onwards.
>>>
>>> Mark
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> --
>>> | Jürgen Jakobitsch,
>>> | Software Developer
>>> | Semantic Web Company GmbH
>>> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria
>>> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>>>
>>> COMPANY INFORMATION
>>> | http://www.semantic-web.at/
>>>
>>> PERSONAL INFORMATION
>>> | web : http://www.turnguard.com
>>> | foaf : http://www.turnguard.com/turnguard
>>> | skype : jakobitsch-punkt
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> Social Web Architect
>> http://bblfish.net/
>>
>>
>>
Social Web Architect
http://bblfish.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSLSession invalidate
Posted by Henry Story <he...@bblfish.net>.
You can break TLS sessions once you have the session_id. I tried this in Clerezza (an apache incubator project) to see if I could get something like a logout functionality to work. I even tried to see if breaking a connection and throwing one of the exceptions that TLS defines would force the browser to ask the user for another certificate, but it does not work - or only quite randomly in most browsers.
https://github.com/bblfish/clerezza/blob/bblfish/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/ssl/X509TrustManagerWrapperService.scala
I think it is a bug that they don't react properly to the defined exceptions being thrown.
What does work for Firefox and I think IE (Not tested yet, please let me know) is the following javascript logout:
function logout(elem) {
if (document.all == null) {
if (window.crypto) {
try{
window.crypto.logout();
return false; //firefox ok -- no need to follow the link
} catch (err) {//Safari, Opera, Chrome -- try with tis session breaking
}
} else { //also try with session breaking
}
} else { // MSIE 6+
document.execCommand('ClearAuthenticationCache');
return false;
};
return true
}
function login(elem) { logout(elem) }
-----
Then you can just put the following html in your page
<a href={"/user/joe/control-panel"}>Joe</a>|<a href="/logout" onclick="return logout();">logout</a>
I have added this to the foaf+ssl (WebID protocol) wiki
http://www.w3.org/wiki/Foaf%2Bssl/HOWTO#HOWTO_logout
Henry
On 7 Sep 2011, at 00:29, Adamus, Steven J. wrote:
> Don't assume your SSL session or connection hasn't been invalidated just because you aren't asked to choose a certificate from your browser certs when you log in again. In our system (Tomcat 5.5.33), I know that our HTTP session and Single Sign-on session are invalidated upon logout, and we see similar behavior (no need to select certificate) upon re-login because the browser caches the user's certificate choice (and smart card PIN). Is your session ID the same when you go back in?
>
> If you are using IE and you want to clear the browser cache to select another certificate, go to Tools->Internet Options, select Content tab, and click Clear SSL state.
>
> -----Original Message-----
> From: users-return-227483-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org [mailto:users-return-227483-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org] On Behalf Of Jürgen Jakobitsch
> Sent: Tuesday, September 06, 2011 3:12 PM
> To: Tomcat Users List
> Subject: Re: SSLSession invalidate
>
> thanks mark,
>
> if i understand you correct, it is simply NOT possible to invalidate the SSLSession of which i can get the id with request.getAttribute("javax.servlet.request.ssl_session")
> (it works with this key in 6.0.32)
>
> wkr turnguard
>
> ----- Original Message -----
> From: "Mark Thomas" <ma...@apache.org>
> To: "Tomcat Users List" <us...@tomcat.apache.org>
> Sent: Wednesday, September 7, 2011 12:08:29 AM
> Subject: Re: SSLSession invalidate
>
> On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
>> apparently there is one, i can get it's id with
>> request.getAttribute("javax.servlet.request.ssl_session")
>
> That is a Tomcat bug it should be javax.servlet.request.ssl_session_id
>
>> in tomcat7 there's the possibility to use SSLSessionManager to
>> invalidate SSLSession, so i'm doing a wild guess, that something similar has to be possible with tomcat6 as well.
>
> Your wild guess is wrong. That feature is in Tomcat 7 onwards.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> --
> | Jürgen Jakobitsch,
> | Software Developer
> | Semantic Web Company GmbH
> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria
> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>
> COMPANY INFORMATION
> | http://www.semantic-web.at/
>
> PERSONAL INFORMATION
> | web : http://www.turnguard.com
> | foaf : http://www.turnguard.com/turnguard
> | skype : jakobitsch-punkt
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Social Web Architect
http://bblfish.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSLSession invalidate
Posted by "Adamus, Steven J." <ST...@saic.com>.
Don't assume your SSL session or connection hasn't been invalidated just because you aren't asked to choose a certificate from your browser certs when you log in again. In our system (Tomcat 5.5.33), I know that our HTTP session and Single Sign-on session are invalidated upon logout, and we see similar behavior (no need to select certificate) upon re-login because the browser caches the user's certificate choice (and smart card PIN). Is your session ID the same when you go back in?
If you are using IE and you want to clear the browser cache to select another certificate, go to Tools->Internet Options, select Content tab, and click Clear SSL state.
-----Original Message-----
From: users-return-227483-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org [mailto:users-return-227483-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org] On Behalf Of Jürgen Jakobitsch
Sent: Tuesday, September 06, 2011 3:12 PM
To: Tomcat Users List
Subject: Re: SSLSession invalidate
thanks mark,
if i understand you correct, it is simply NOT possible to invalidate the SSLSession of which i can get the id with request.getAttribute("javax.servlet.request.ssl_session")
(it works with this key in 6.0.32)
wkr turnguard
----- Original Message -----
From: "Mark Thomas" <ma...@apache.org>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Wednesday, September 7, 2011 12:08:29 AM
Subject: Re: SSLSession invalidate
On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
> apparently there is one, i can get it's id with
> request.getAttribute("javax.servlet.request.ssl_session")
That is a Tomcat bug it should be javax.servlet.request.ssl_session_id
> in tomcat7 there's the possibility to use SSLSessionManager to
> invalidate SSLSession, so i'm doing a wild guess, that something similar has to be possible with tomcat6 as well.
Your wild guess is wrong. That feature is in Tomcat 7 onwards.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
--
| Jürgen Jakobitsch,
| Software Developer
| Semantic Web Company GmbH
| Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria
| Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
COMPANY INFORMATION
| http://www.semantic-web.at/
PERSONAL INFORMATION
| web : http://www.turnguard.com
| foaf : http://www.turnguard.com/turnguard
| skype : jakobitsch-punkt
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSLSession invalidate
Posted by Jürgen Jakobitsch <j....@semantic-web.at>.
thanks mark,
if i understand you correct, it is simply NOT possible to invalidate
the SSLSession of which i can get the id with request.getAttribute("javax.servlet.request.ssl_session")
(it works with this key in 6.0.32)
wkr turnguard
----- Original Message -----
From: "Mark Thomas" <ma...@apache.org>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Wednesday, September 7, 2011 12:08:29 AM
Subject: Re: SSLSession invalidate
On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
> apparently there is one, i can get it's id with request.getAttribute("javax.servlet.request.ssl_session")
That is a Tomcat bug it should be javax.servlet.request.ssl_session_id
> in tomcat7 there's the possibility to use SSLSessionManager to invalidate SSLSession, so i'm doing a
> wild guess, that something similar has to be possible with tomcat6 as well.
Your wild guess is wrong. That feature is in Tomcat 7 onwards.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
--
| Jürgen Jakobitsch,
| Software Developer
| Semantic Web Company GmbH
| Mariahilfer Straße 70 / Neubaugasse 1, Top 8
| A - 1070 Wien, Austria
| Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
COMPANY INFORMATION
| http://www.semantic-web.at/
PERSONAL INFORMATION
| web : http://www.turnguard.com
| foaf : http://www.turnguard.com/turnguard
| skype : jakobitsch-punkt
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSLSession invalidate
Posted by Mark Thomas <ma...@apache.org>.
On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
> apparently there is one, i can get it's id with request.getAttribute("javax.servlet.request.ssl_session")
That is a Tomcat bug it should be javax.servlet.request.ssl_session_id
> in tomcat7 there's the possibility to use SSLSessionManager to invalidate SSLSession, so i'm doing a
> wild guess, that something similar has to be possible with tomcat6 as well.
Your wild guess is wrong. That feature is in Tomcat 7 onwards.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSLSession invalidate
Posted by Jürgen Jakobitsch <j....@semantic-web.at>.
i should make myself clearer, i guess...
i'm trying to close a SSL connection, in case someone wants to use another certificate
for a webpage that uses client-cert as authentication method.
i know how to close a session, tanks. what i dont't know, how to invalidate a SSLSession.
apparently there is one, i can get it's id with request.getAttribute("javax.servlet.request.ssl_session")
and also apparently it is not enough to do session.invalidate(), why? because i have it in a logout.jsp
that redirects to my index.jsp. now if the SSL Connection would have been invalidated, i should be
asked to choose a certificate from my browser certs, which i'm not, after passing my logout.jsp
i'm still logged in, i even have a request.setHeader("connection", "close") in my logout jsp, which
doesn't help either (i have read that the header thing might be interpreted more as guideline for the browser
and not necessarily close all connections).
in tomcat7 there's the possibility to use SSLSessionManager to invalidate SSLSession, so i'm doing a
wild guess, that something similar has to be possible with tomcat6 as well.
so the overall workflow would be
1. first hit of index.jsp
2. i'm asked to choose a browser cert
3. i log in with a browser cert
4. i hit the logout button, which makes an ajax request to logout.jsp
5. in logout.jsp i invalidate the normal HTTPSession and set the connection header to "close"
=> here some is missing to invalidate the SSLSession
6. in case of success of the logout-ajax request, i'm taken to index.jsp
(now start over from point 1. again)
only i'm not asked for a cert the second time, which is exactly what i want to achieve... and before you asked : i don't want to switch to tomcat7 for this
but need it get done in tomcat-6.0.32
any help really appreciated
wkr turnguard
----- Original Message -----
From: "baran topal" <ja...@gmail.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Tuesday, September 6, 2011 10:57:17 PM
Subject: Re: SSLSession invalidate
Greetings from Stockholm, this is Baran Topal.
As i was drinking my Guiness, i find your question interesting :)
Here you go:
<%
HttpSession s = request.getSession(false);
if (s != null) s.invalidate();
%>
Inform me whether this is working or not :)
Regards.
On 6 sep 2011, at 22:09, Chema <de...@gmail.com> wrote:
>> how can access the SSLSession in a jsp or a servlet
>> to be able to invalidate it.
>
> Sorry, but
>
> is there any difference between to invalidate a HTTP Session and a SSLSession ?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
--
| Jürgen Jakobitsch,
| Software Developer
| Semantic Web Company GmbH
| Mariahilfer Straße 70 / Neubaugasse 1, Top 8
| A - 1070 Wien, Austria
| Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
COMPANY INFORMATION
| http://www.semantic-web.at/
PERSONAL INFORMATION
| web : http://www.turnguard.com
| foaf : http://www.turnguard.com/turnguard
| skype : jakobitsch-punkt
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSLSession invalidate
Posted by baran topal <ja...@gmail.com>.
Greetings from Stockholm, this is Baran Topal.
As i was drinking my Guiness, i find your question interesting :)
Here you go:
<%
HttpSession s = request.getSession(false);
if (s != null) s.invalidate();
%>
Inform me whether this is working or not :)
Regards.
On 6 sep 2011, at 22:09, Chema <de...@gmail.com> wrote:
>> how can access the SSLSession in a jsp or a servlet
>> to be able to invalidate it.
>
> Sorry, but
>
> is there any difference between to invalidate a HTTP Session and a SSLSession ?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSLSession invalidate
Posted by Chema <de...@gmail.com>.
> how can access the SSLSession in a jsp or a servlet
> to be able to invalidate it.
Sorry, but
is there any difference between to invalidate a HTTP Session and a SSLSession ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org