tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benjamin Fonzé [] <>
Subject RE: Implementation of the sessions
Date Tue, 21 May 2002 12:24:17 GMT
Thank you for your help Bojan and Rolf.

I'll try to understand all that :)


-----Original Message-----
From: Bojan Smojver [] 
Sent: mardi 21 mai 2002 9:46
To: Tomcat Dev List
Subject: RE: Implementation of the sessions

On Tue, 2002-05-21 at 17:32, Benjamin Fonzé [] wrote:

> What is that mechanism ?

SSL establishes a session before HTTP protocol gets on top of it (i.e.
SSL is a transport layer). Once that happens, the container (Tomcat)
might have access to the SSL Session ID (I know that part to be true if
you use Apache + mod_ssl + mod_jk) and then use it as its own session
ID. To my knowledge, that's not the case with 3.3.x series (wouldn't
have a clue about 4.x). However you can check Tomcat session ID against
the SSL session ID in 3.3.x.

I think I read somewhere (and SSL people please correct me) that SSL
session ID's can be swapped during the session at any time (this is by
design), so the above checking might create problems if that happens. In
practice it usually ends up being fine, but in theory I think it's not
entirely correct thing to do.


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message