tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jürgen Jakobitsch <>
Subject Re: SSLSession invalidate
Date Tue, 06 Sep 2011 21:42:31 GMT
i should make myself clearer, i guess...

i'm trying to close a SSL connection, in case someone wants to use another certificate
for a webpage that uses client-cert as authentication method.

i know how to close a session, tanks. what i dont't know, how to invalidate a SSLSession.
apparently there is one, i can get it's id with request.getAttribute("javax.servlet.request.ssl_session")
and also apparently it is not enough to do session.invalidate(), why? because i have it in
a logout.jsp
that redirects to my index.jsp. now if the SSL Connection would have been invalidated, i should
asked to choose a certificate from my browser certs, which i'm not, after passing my logout.jsp
i'm still logged in, i even have a request.setHeader("connection", "close") in my logout jsp,
doesn't help either (i have read that the header thing might be interpreted more as guideline
for the browser
and not necessarily close all connections).

in tomcat7 there's the possibility to use SSLSessionManager to invalidate SSLSession, so i'm
doing a
wild guess, that something similar has to be possible with tomcat6 as well.

so the overall workflow would be

1. first hit of index.jsp
2. i'm asked to choose a browser cert 
3. i log in with a browser cert
4. i hit the logout button, which makes an ajax request to logout.jsp
5. in logout.jsp i invalidate the normal HTTPSession and set the connection header to "close"

   => here some is missing to invalidate the SSLSession

6. in case of success of the logout-ajax request, i'm taken to index.jsp
   (now start over from point 1. again)
   only i'm not asked for a cert the second time, which is exactly what i want to achieve...
and before you asked : i don't want to switch to tomcat7 for this
   but need it get done in tomcat-6.0.32

any help really appreciated
wkr turnguard

----- Original Message -----
From: "baran topal" <>
To: "Tomcat Users List" <>
Sent: Tuesday, September 6, 2011 10:57:17 PM
Subject: Re: SSLSession invalidate

Greetings from Stockholm, this is Baran Topal.

As i was drinking my Guiness, i find your question interesting :)

Here you go:

HttpSession s = request.getSession(false);
if (s != null) s.invalidate();

Inform me whether this is working or not :)


On 6 sep 2011, at 22:09, Chema <> wrote:

>> how can access the SSLSession in a jsp or a servlet
>> to be able to invalidate it.
> Sorry, but
> is there any difference between to  invalidate a HTTP Session and a SSLSession ?
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

| Jürgen Jakobitsch, 
| Software Developer
| Semantic Web Company GmbH
| Mariahilfer Straße 70 / Neubaugasse 1, Top 8
| A - 1070 Wien, Austria
| Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22


| web   :
| foaf  :
| skype : jakobitsch-punkt

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message