httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ellipses Lists" <ellipses_li...@hotmail.com>
Subject RE: [users@httpd] How to log out from an SSL V3 session?
Date Thu, 13 May 2004 14:22:25 GMT
I'm going to take a shot in the dark here, but could you do something like 
have the user follow a "logout" link to a non secure page, delete the 
cookies for the secure pages, and then have the login link back to the 
secure site?

I'm not sure if this will work for you, I have never worked with certificate 
authentication.

>From: nicolas.villoutreix@accenture.com
>Reply-To: users@httpd.apache.org
>To: <users@httpd.apache.org>
>Subject: [users@httpd] How to log out from an SSL V3 session?
>Date: Thu, 13 May 2004 13:58:44 +0200
>
>I have an application protected by client certificate authentication. I 
>would like to let the user have a user-friendly way to change his 
>authentication certificate, let's say he chose to authenticate with 
>certificate A, then a ssl handshake occurs and an ssl V3 session is set up. 
>What if the user change his mind and wants to authenticate with certificate 
>B.
>
>The working solution is to make him close all his open browser windows, 
>restart his browser and reconnect to the page, then he will be asked again 
>to present a certificate and will be able to present certificate B.
>
>Is there a simpler way for the user to ask him again to authenticate and to 
>let him choose a different certificate?
>
>For a login/password type of authentication, you always have the choice to 
>click on a Log out link that kills your session, and give you a chance to 
>authenticate again with a different login/pwd.
>
>Can we imagine with client certificate authentication a same kind of way to 
>log out and to authenticate with a different user.
>
>On IE, there is a button in Tools / Internet Options / Content, called 
>Clear SSL Cache, that does a similar action than a log out button, I 
>haven't been able to find a similar button on Mozilla-like browsers... Do 
>you know of any button of his kind on Mozilla ?
>
>This would enable logging out from a client initiative.
>
>>From a server perspective : is it possible to send a signal to apache 
>mod_ssl to tell him to close the SSL session, so that the client goes back 
>to an unauthenticated session. If he wants to access a proctected page 
>again, he would have a choice of choosing a different certificate.
>
>
>
>Thanks far any ideas,
>
>cheers.
>
>Nicolas.
>
>
>
>This message is for the designated recipient only and may contain 
>privileged, proprietary, or otherwise private information.  If you have 
>received it in error, please notify the sender immediately and delete the 
>original.  Any other use of the email by you is prohibited.
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>

_________________________________________________________________
Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage! 
http://join.msn.com/?pgmarket=en-us&page=hotmail/es2&ST=1/go/onm00200362ave/direct/01/


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message