tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darryl Miles <darryl-mailingli...@netbauds.net>
Subject Re: Tomcat 5.5 / Apache 2 / Join (Tomcat-) Session with SSL-Session / Which mod should be used?
Date Fri, 19 May 2006 15:06:58 GMT
Michael Decker wrote:
>>> My problem is, that the application session (set by cookie or url
>>> parameter) is not associated with the SSL session. And I hope, there is
>>> an easy way to that.
>> I dont understand why you want to connect to two (under my definition of
>> each explained above).
> 
> Why I want that? If you've an application with session. So you can get
> the application information by spying (XSS, browser plugin etc.) or
> copying (URL with session ID).
> 
> Because of that the idea was to join SSL session id and application
> session id, you can avoid that.

Understood on what you are trying to do now.  Maybe: 
http://java.sun.com/products/servlet/2.1/api/javax.servlet.ServletRequest.html 
and :

javax.net.ssl.SSLSession sslSession = (javax.net.ssl.SSLSession) 
request.getAttribute("javax.net.ssl.session");
byte[] sslId = sslSession.getId()

Will do the trick.


Before all HttpSession object usage you want to validate it, maybe a 
Servlet Filter would be a good way to handle this. 
http://java.sun.com/products/servlet/Filters.html


The AJP protocol seamlessly conveys the SSL related information between 
apache and tomcat.  Although apache+mod_ssl is the SSL endpoint, the 
web-app still have access to it just as-if you had setup SSL on tomcat 
directly.



>> It is not normal to connect the SSL session in
>> this way, as the HTTP protocol may (or may not) use the same SSL session
>> details during the next request, the client may (or may not) support
>> persistent connections.  The SSL session cache is a performance
>> optimization, not something an application gets to see or use directly.
> 
> I'm not sure if I completely understand you: The SSL session (ID) can
> change between two requests?

HTTP is a stateless protocol.  So from a pure HTTP perspective, yes sure 
the ID can change between requests.  In practice with featurefull 
browsers and a normal usage pattern linking them is probably safe you'll 
have to test with your userbase to be sure.


Darryl


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message