tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andreas Persson" <>
Subject Re: Invalidate the SSLSession?
Date Thu, 05 Jan 2006 16:12:09 GMT
Thank you for your answer! I have done some tests now, and you're right, it wasn't enough to
just do SSLSession.invalidate(). But if I also close the socket, by doing

response.setHeader("Connection", "close")

it seemed to work. But when I read your message I realize that there might be other sockets
open that also need to be closed.


-----Ursprungligt meddelande-----
Från: Armin Häberling []
Skickat: den 5 januari 2006 16:52
Till: Tomcat Developers List
Ämne: Re: Invalidate the SSLSession?


I think calling SSLSession.invalidate() will not suffice to logout the 
user. Because calling invalidate() will only prevent the client to open 
a new SSL-connection using the the same session, but has no influence on 
existing ssl-connections using that session. That means the user is not 
logged out until all connections using that session are closed.
See also the java api:


Andreas Persson wrote:
> Hi,
> I'm trying to implement a feature that I think is missing, but I'm
> feeling pretty lost in the Tomcat sources. When SSL client
> authentication is used, I would like to be able to logout the user. I
> think this means that I need to call invalidate() on the SSLSession
> (I'm using the JSSE implementation). But, the SSLSession or SSLSocket
> is not available for the servlet code.
> Does anyone have some hints on how this could be solved? Should I try
> to make the SSLSession available in a request parameter, or should
> the invalidate method call in some way be placed inside the server
> code?
> /Andreas

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message