Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 69795 invoked from network); 5 Jan 2006 15:52:58 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 5 Jan 2006 15:52:58 -0000 Received: (qmail 29362 invoked by uid 500); 5 Jan 2006 15:52:43 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 29282 invoked by uid 500); 5 Jan 2006 15:52:43 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 29253 invoked by uid 99); 5 Jan 2006 15:52:43 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Jan 2006 07:52:43 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [82.130.70.14] (HELO XSMTP0.ethz.ch) (82.130.70.14) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Jan 2006 07:52:42 -0800 Received: from xfe0.d.ethz.ch ([82.130.124.40]) by XSMTP0.ethz.ch with Microsoft SMTPSVC(6.0.3790.1830); Thu, 5 Jan 2006 16:52:20 +0100 Received: from [10.0.0.10] ([83.77.212.199]) by xfe0.d.ethz.ch over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Thu, 5 Jan 2006 16:52:20 +0100 Message-ID: <43BD40B5.3020101@student.ethz.ch> Date: Thu, 05 Jan 2006 15:52:21 +0000 From: =?ISO-8859-1?Q?Armin_H=E4berling?= User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: Invalidate the SSLSession? References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 05 Jan 2006 15:52:20.0277 (UTC) FILETIME=[02D29650:01C61210] X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Hi, I think calling SSLSession.invalidate() will not suffice to logout the user. Because calling invalidate() will only prevent the client to open a new SSL-connection using the the same session, but has no influence on existing ssl-connections using that session. That means the user is not logged out until all connections using that session are closed. See also the java api: http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/SSLSession.html#invalidate() Armin Andreas Persson wrote: > Hi, > > I'm trying to implement a feature that I think is missing, but I'm > feeling pretty lost in the Tomcat sources. When SSL client > authentication is used, I would like to be able to logout the user. I > think this means that I need to call invalidate() on the SSLSession > (I'm using the JSSE implementation). But, the SSLSession or SSLSocket > is not available for the servlet code. > > Does anyone have some hints on how this could be solved? Should I try > to make the SSLSession available in a request parameter, or should > the invalidate method call in some way be placed inside the server > code? > > /Andreas > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For > additional commands, e-mail: dev-help@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org