Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 80465 invoked from network); 5 Jan 2006 16:12:52 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 5 Jan 2006 16:12:52 -0000 Received: (qmail 72017 invoked by uid 500); 5 Jan 2006 16:12:40 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 71957 invoked by uid 500); 5 Jan 2006 16:12:40 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 71932 invoked by uid 99); 5 Jan 2006 16:12:39 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Jan 2006 08:12:39 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [194.218.15.7] (HELO mail.idainfront.se) (194.218.15.7) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Jan 2006 08:12:38 -0800 Received: from narnia.idainfront.idainfront.se (narnia.idainfront.idainfront.se [194.218.15.103]) by mail.idainfront.se (8.12.3/8.12.3/Debian-7.1) with ESMTP id k05GC9xa020319 for ; Thu, 5 Jan 2006 17:12:09 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: Re: Invalidate the SSLSession? Date: Thu, 5 Jan 2006 17:12:09 +0100 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Invalidate the SSLSession? Thread-Index: AcYSEBuuMkmQLmiVSiCuJEfdbwsXBAAALJXg From: "Andreas Persson" To: "Tomcat Developers List" X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail.idainfront.se X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No, score=-98.3 required=5.0 tests=AWL,BAYES_99, USER_IN_WHITELIST autolearn=disabled version=3.0.2 X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Thank you for your answer! I have done some tests now, and you're right, = it wasn't enough to just do SSLSession.invalidate(). But if I also close = the socket, by doing response.setHeader("Connection", "close") it seemed to work. But when I read your message I realize that there = might be other sockets open that also need to be closed. /Andreas -----Ursprungligt meddelande----- Fr=E5n: Armin H=E4berling [mailto:arminha@student.ethz.ch] Skickat: den 5 januari 2006 16:52 Till: Tomcat Developers List =C4mne: Re: Invalidate the SSLSession? Hi, I think calling SSLSession.invalidate() will not suffice to logout the=20 user. Because calling invalidate() will only prevent the client to open=20 a new SSL-connection using the the same session, but has no influence on = existing ssl-connections using that session. That means the user is not=20 logged out until all connections using that session are closed. See also the java api:=20 http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/SSLSession.html#inv= alidate() Armin Andreas Persson wrote: > Hi, >=20 > I'm trying to implement a feature that I think is missing, but I'm > feeling pretty lost in the Tomcat sources. When SSL client > authentication is used, I would like to be able to logout the user. I > think this means that I need to call invalidate() on the SSLSession > (I'm using the JSSE implementation). But, the SSLSession or SSLSocket > is not available for the servlet code. >=20 > Does anyone have some hints on how this could be solved? Should I try > to make the SSLSession available in a request parameter, or should > the invalidate method call in some way be placed inside the server > code? >=20 > /Andreas --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org