tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Rescorla <...@rtfm.com>
Subject Re: [Fwd: using SSL_SESSION_ID for session tracking, anyone done it?]
Date Mon, 10 Dec 2001 23:00:02 GMT
Joel Roth-Nater <joel@quoininc.com> writes:
> My idea is to let Apache handle SSL traffic, but pass the SSL_SESSION_ID 
> through mod_webapp to Tomcat. Tomcat could then use it to track its 
> sessions without cookies or URL-rewriting. Before I start writing the 
> code myself, I wonder if anyone has tried to do it.
If you're going to do this you're going to have to be prepared for
the case where a client reconnects but doesn't resume a previous
session. There's no guarantee in SSL that merely because a C/S 
pair have communicated previously (Even recently) that they will
resume that previous session. Clients and servers can flush the 
session cache at any time.

Session IDs aren't really a complete substitute for cookies.

-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]
Author of "SSL and TLS: Designing and Building Secure Systems"
                  http://www.rtfm.com/
  

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message