Chuck, Thanks for your prompt response.
> Invalidate the session after every request - but only if you really want to annoy your
users.
which session ? Is there somehow I can invalidate SSLSession ?
I tried invalidating httpsession but that didnt work.
I put a trace to make sure that browser is not automatically sending the cached client cert.
Also, in a deployment where if a machine is shared by multiple users and user1 forgets to
close the browser before leaving, the user can log right in as user1.
________________________________
From: "Caldarale, Charles R" <Chuck.Caldarale@unisys.com>
To: Tomcat Users List <users@tomcat.apache.org>
Sent: Friday, October 24, 2008 12:14:45 PM
Subject: RE: Force getting Client Cert from browser
> From: atul [mailto:techatool@yahoo.com]
> Subject: Force getting Client Cert from browser
>
> Tomcat never initiates ssl renegotiation - probably because
> it hangs onto sslsocket and sslsession object for performance.
No - it's because the *browser* uses the same sessionid and connection. Nothing Tomcat can
do about that.
> Is there anyway we can effect tomcat to forcefully
> renegotiate ssl for client cert ?
Invalidate the session after every request - but only if you really want to annoy your users.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|