httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ellipses Lists" <>
Subject RE: [users@httpd] How to log out from an SSL V3 session?
Date Thu, 13 May 2004 14:22:25 GMT
I'm going to take a shot in the dark here, but could you do something like 
have the user follow a "logout" link to a non secure page, delete the 
cookies for the secure pages, and then have the login link back to the 
secure site?

I'm not sure if this will work for you, I have never worked with certificate 

>To: <>
>Subject: [users@httpd] How to log out from an SSL V3 session?
>Date: Thu, 13 May 2004 13:58:44 +0200
>I have an application protected by client certificate authentication. I 
>would like to let the user have a user-friendly way to change his 
>authentication certificate, let's say he chose to authenticate with 
>certificate A, then a ssl handshake occurs and an ssl V3 session is set up. 
>What if the user change his mind and wants to authenticate with certificate 
>The working solution is to make him close all his open browser windows, 
>restart his browser and reconnect to the page, then he will be asked again 
>to present a certificate and will be able to present certificate B.
>Is there a simpler way for the user to ask him again to authenticate and to 
>let him choose a different certificate?
>For a login/password type of authentication, you always have the choice to 
>click on a Log out link that kills your session, and give you a chance to 
>authenticate again with a different login/pwd.
>Can we imagine with client certificate authentication a same kind of way to 
>log out and to authenticate with a different user.
>On IE, there is a button in Tools / Internet Options / Content, called 
>Clear SSL Cache, that does a similar action than a log out button, I 
>haven't been able to find a similar button on Mozilla-like browsers... Do 
>you know of any button of his kind on Mozilla ?
>This would enable logging out from a client initiative.
>>From a server perspective : is it possible to send a signal to apache 
>mod_ssl to tell him to close the SSL session, so that the client goes back 
>to an unauthenticated session. If he wants to access a proctected page 
>again, he would have a choice of choosing a different certificate.
>Thanks far any ideas,
>This message is for the designated recipient only and may contain 
>privileged, proprietary, or otherwise private information.  If you have 
>received it in error, please notify the sender immediately and delete the 
>original.  Any other use of the email by you is prohibited.
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:> for more info.
>To unsubscribe, e-mail:
>    "   from the digest:
>For additional commands, e-mail:

Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage!

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message