tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bárbara Vieira <>
Subject SSL session is the same HTTP session and is the same Servlet session
Date Sat, 03 Nov 2007 22:18:28 GMT


This question is about Tomcat’s architecture. 

When a connection HTTP over SSL(HTTP) is established, Tomcat encapsulates
this connection in an object – CoyoteConnector.  After that, this object is
transformed in another objects,  until it is encapsulated in a HttpRequest
object. When the connection is encapsulated on a HttpRequest/
HttpServletRequest, what’s happen?!

My question is about SSL session that is established,  about HTTP session
that is in the higher layer, and about session available on Servlet. I want
to know  if the SSL session is the same HTTP session and is the same Servlet


My concern is about keeping a secure session, even if the SSL session is
broken. Ie, suppose the following situation:

-           An HTTPS connection is established and a HttpServlet session is
created – the user is authenticated by a certificate(mutual authentication)

-          I turn off the network – the SSL session is broken(I suppose that
is what’s happen)

-          When I  turn on the network, the user is authenticated because
the session on server didn’t end(there wasn’t a timeout yet)


This is a big problem. How can I control this?!



Bárbara Vieira

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message