tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat 7 SSL Session ID
Date Tue, 04 Dec 2012 16:12:49 GMT
Hash: SHA1


On 12/4/12 9:15 AM, Vincent Goelen wrote:
> To be clear, I do not want a 0ms timeout... I'm doing research
> about how "usable" the SSL session tracking option is for session
> management... With the standard settings it seems very unstable to
> me, when sending alot of parallel requests I get a broken socket
> error invalidating the ssl session and making the session with this
> id disappear. In this case it would seem to me that it's easy to
> create Denial of Service attacks by just sending alot of requests
> so the user loses his session.

Forgive me, but it sounded like you set timeout=0 and then started
getting weird behavior. I would have totally expected weird behavior
with timeout=0 so that's why I was asking.

You are going to need to provide a lot more detail about the
session-invalidation (you're talking about *SSL session* invalidation,
not HttpSession invalidation, right?) you are observing if you want to
get any help. Lots of technical details, logs, explicit configuration
(even if it is the default), specific version numbers ("Tomcat 7"
isn't good enough), etc.

You should also try it on a couple of different platforms. What
happens on Linux? Windows? Solaris? Whatever you've got laying around.

> I've added a screenshot of a capture where things go wrong without 
> setting a keepAlive.

Attachments get stripped from this list: please post the file
somewhere else and provide a link.

> So I send alot of requests to the server,

How many is a lot? Serial or parallel? How many parallel threads? Be

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with undefined -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message