tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Rescorla <>
Subject Re: [Fwd: using SSL_SESSION_ID for session tracking, anyone done it?]
Date Mon, 10 Dec 2001 23:00:02 GMT
Joel Roth-Nater <> writes:
> My idea is to let Apache handle SSL traffic, but pass the SSL_SESSION_ID 
> through mod_webapp to Tomcat. Tomcat could then use it to track its 
> sessions without cookies or URL-rewriting. Before I start writing the 
> code myself, I wonder if anyone has tried to do it.
If you're going to do this you're going to have to be prepared for
the case where a client reconnects but doesn't resume a previous
session. There's no guarantee in SSL that merely because a C/S 
pair have communicated previously (Even recently) that they will
resume that previous session. Clients and servers can flush the 
session cache at any time.

Session IDs aren't really a complete substitute for cookies.


[Eric Rescorla                         ]
Author of "SSL and TLS: Designing and Building Secure Systems"

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message