tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bojan Smojver <>
Subject Re: [Fwd: using SSL_SESSION_ID for session tracking, anyone done it?]
Date Mon, 10 Dec 2001 21:47:26 GMT
Joel Roth-Nater wrote:
> My idea is to let Apache handle SSL traffic, but pass the SSL_SESSION_ID
> through mod_webapp to Tomcat. Tomcat could then use it to track its
> sessions without cookies or URL-rewriting. Before I start writing the
> code myself, I wonder if anyone has tried to do it.
> I've been all over the list-archives, source code and doc to no avail,
> yet the J2EE spec mandates "SSL" as one of the methods for session
> tracking. Am I missing something?

Don't know about TC 4.x, but 3.3 from CVS has support for checking
Tomcat session ID's against SSL session ID's to prevent session
hijacking. Not sure if that helps you in any way...


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message