tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: SSL session is the same HTTP session and is the same Servlet session
Date Sat, 03 Nov 2007 23:51:55 GMT

>"Bárbara Vieira" <> wrote in message 
>This question is about Tomcat's architecture.
>When a connection HTTP over SSL(HTTP) is established, Tomcat encapsulates
>this connection in an object - CoyoteConnector.  After that, this object is
>transformed in another objects,  until it is encapsulated in a HttpRequest
>object. When the connection is encapsulated on a HttpRequest/
>HttpServletRequest, what's happen?!
>My question is about SSL session that is established,  about HTTP session
>that is in the higher layer, and about session available on Servlet. I want
>to know  if the SSL session is the same HTTP session and is the same 

No, the SSL session and the HTTP session are completely different and 
unrelated.  It is possible to get the SSL session ID via the request 
attribute "javax.servlet.request.ssl_session" (this is a Tomcat specific 
feature, so is not portable).  You can use that in a Filter to link the HTTP 
session to the SSL session, but that's about it.
>My concern is about keeping a secure session, even if the SSL session is
>broken. Ie, suppose the following situation:
>-           An HTTPS connection is established and a HttpServlet session is
>created - the user is authenticated by a certificate(mutual authentication)
>-          I turn off the network - the SSL session is broken(I suppose 
>is what's happen)
>-          When I  turn on the network, the user is authenticated because
>the session on server didn't end(there wasn't a timeout yet)

This is normal, the browser will ask to rejoin its former SSL session and 
Tomcat will see no reason why not.  And even if there was a new SSL session, 
most browsers will treat CLIENT-CERT auth liike BASIC, and quietly resend 
the previously selected cert without prompting the user again.

>This is a big problem. How can I control this?!


Bárbara Vieira

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message