tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Armin Häberling <>
Subject Re: Invalidate the SSLSession?
Date Thu, 05 Jan 2006 15:52:21 GMT

I think calling SSLSession.invalidate() will not suffice to logout the 
user. Because calling invalidate() will only prevent the client to open 
a new SSL-connection using the the same session, but has no influence on 
existing ssl-connections using that session. That means the user is not 
logged out until all connections using that session are closed.
See also the java api:


Andreas Persson wrote:
> Hi,
> I'm trying to implement a feature that I think is missing, but I'm
> feeling pretty lost in the Tomcat sources. When SSL client
> authentication is used, I would like to be able to logout the user. I
> think this means that I need to call invalidate() on the SSLSession
> (I'm using the JSSE implementation). But, the SSLSession or SSLSocket
> is not available for the servlet code.
> Does anyone have some hints on how this could be solved? Should I try
> to make the SSLSession available in a request parameter, or should
> the invalidate method call in some way be placed inside the server
> code?
> /Andreas
> ---------------------------------------------------------------------
>  To unsubscribe, e-mail: For
> additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message