tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Armin Häberling <armi...@student.ethz.ch>
Subject Re: Invalidate the SSLSession?
Date Thu, 05 Jan 2006 15:52:21 GMT
Hi,

I think calling SSLSession.invalidate() will not suffice to logout the 
user. Because calling invalidate() will only prevent the client to open 
a new SSL-connection using the the same session, but has no influence on 
existing ssl-connections using that session. That means the user is not 
logged out until all connections using that session are closed.
See also the java api: 
http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/SSLSession.html#invalidate()

Armin


Andreas Persson wrote:
> Hi,
> 
> I'm trying to implement a feature that I think is missing, but I'm
> feeling pretty lost in the Tomcat sources. When SSL client
> authentication is used, I would like to be able to logout the user. I
> think this means that I need to call invalidate() on the SSLSession
> (I'm using the JSSE implementation). But, the SSLSession or SSLSocket
> is not available for the servlet code.
> 
> Does anyone have some hints on how this could be solved? Should I try
> to make the SSLSession available in a request parameter, or should
> the invalidate method call in some way be placed inside the server
> code?
> 
> /Andreas
> 
> 
> ---------------------------------------------------------------------
>  To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
> additional commands, e-mail: dev-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message