Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sender: ekr@rtfm.com
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Subject: Re: [Fwd: using SSL_SESSION_ID for session tracking, anyone done it?]
References: <m16DWIa-000kwcC@mail.quoininc.com>
Reply-to: EKR <ekr@rtfm.com>
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
From: Eric Rescorla <ekr@rtfm.com>
Date: 10 Dec 2001 15:00:02 -0800
In-Reply-To: Joel Roth-Nater's message of "Mon, 10 Dec 2001 14:40:59 -0500"
Message-ID: <kj4rmy1y19.fsf@romeo.rtfm.com>
Lines: 21

Joel Roth-Nater <joel@quoininc.com> writes:
> My idea is to let Apache handle SSL traffic, but pass the SSL_SESSION_ID 
> through mod_webapp to Tomcat. Tomcat could then use it to track its 
> sessions without cookies or URL-rewriting. Before I start writing the 
> code myself, I wonder if anyone has tried to do it.
If you're going to do this you're going to have to be prepared for
the case where a client reconnects but doesn't resume a previous
session. There's no guarantee in SSL that merely because a C/S 
pair have communicated previously (Even recently) that they will
resume that previous session. Clients and servers can flush the 
session cache at any time.

Session IDs aren't really a complete substitute for cookies.

-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]
Author of "SSL and TLS: Designing and Building Secure Systems"
                  http://www.rtfm.com/
  

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>