tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Decker <>
Subject Re: Tomcat 5.5 / Apache 2 / Join (Tomcat-) Session with SSL-Session / Which mod should be used?
Date Fri, 19 May 2006 13:15:25 GMT

>> My problem is, that the application session (set by cookie or url
>> parameter) is not associated with the SSL session. And I hope, there is
>> an easy way to that.
> I dont understand why you want to connect to two (under my definition of
> each explained above).

Why I want that? If you've an application with session. So you can get
the application information by spying (XSS, browser plugin etc.) or
copying (URL with session ID).

Because of that the idea was to join SSL session id and application
session id, you can avoid that.

> It is not normal to connect the SSL session in
> this way, as the HTTP protocol may (or may not) use the same SSL session
> details during the next request, the client may (or may not) support
> persistent connections.  The SSL session cache is a performance
> optimization, not something an application gets to see or use directly.

I'm not sure if I completely understand you: The SSL session (ID) can
change between two requests?

> It more normal to issue client certificates to your userbase and
> validate those certificates with a per-website certificate authority. In
> which case the certificate will have an "Issue Number" and it is this
> issue number you can use as an authentication token (providing the
> certificate has passed validity testing, I'm sure both apache and tomcat
> can help with your application specific validity rules).

Okay, yes. That is a possibility, the application will offers, but it's
not forced to configure that way.

Thanks a lot!

Michael Decker            
TESIS SYSware GmbH            
Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 747377-0

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message