tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From atul <techat...@yahoo.com>
Subject Re: Force getting Client Cert from browser
Date Fri, 24 Oct 2008 21:59:47 GMT
I tried sending a http (using http/1.1) Connection: close header on the response which didnt
work either...sigh.





________________________________
From: atul <techatool@yahoo.com>
To: Tomcat Users List <users@tomcat.apache.org>
Sent: Friday, October 24, 2008 2:03:20 PM
Subject: Re: Force getting Client Cert from browser


Chuck, Thanks for your prompt response.

> Invalidate the session after every request - but only if you really want to annoy your
users.

which session ? Is there somehow I can invalidate SSLSession ? 
I tried invalidating httpsession but that didnt work.
I put a trace to make sure that browser is not automatically sending the cached client cert.

Also, in a deployment where if a machine is shared by multiple users and user1 forgets to
close the browser before leaving, the user can log right in as user1.




________________________________
From: "Caldarale, Charles R" <Chuck.Caldarale@unisys.com>
To: Tomcat Users List <users@tomcat.apache.org>
Sent: Friday, October 24, 2008 12:14:45 PM
Subject: RE: Force getting Client Cert from browser

> From: atul [mailto:techatool@yahoo.com]
> Subject: Force getting Client Cert from browser
>
> Tomcat never initiates ssl renegotiation - probably because
> it hangs onto sslsocket and sslsession object for performance.

No - it's because the *browser* uses the same sessionid and connection.  Nothing Tomcat can
do about that.

> Is there anyway we can effect tomcat to forcefully
> renegotiate ssl for client cert ?

Invalidate the session after every request - but only if you really want to annoy your users.

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


      
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message