Subject: Re: SSL session is the same HTTP session and is the same Servlet session

Google

Mailing List

Home

Forum Home

JBoss - Java Application Server

Tomcat - JSP/Servlet container

Struts - A MVC web framework

iText - An open source PDF Java Library

JDOM - JDOM XML Parser

JSP - A mailing list about Java Server Pages specification and reference

J2EE - A mailing list for Java(tm) 2 Platform, Enterprise Edition

J2EE Pattern - An interest list for Sun Java Center J2EE Pattern Catalog

Servlet - A mailing list for discussion about Sun Microsystem's Java Servlet API Technology

Struts & Hibernate

Subjects

•	JSP editor plugin for eclipse ?
•	org apache jasper JasperException: Unable to compile class for JSP
•	Tomcat: Connection reset by peer: socket write error
•	Cannot retrieve definition for form bean null
•	Struts Tiles Tutorial (free Struts training)
•	Where do I download Tomcat 4 0 6?
•	Data Access Object (DAO) pattern, example DAO 's
•	Where to download Tomcat v 4 1 24 from?
•	Tomcat 5 0 16 Requested resource not available
•	Subject: Servlet : Session invalidate
•	Oracle Connection Pooling in 3 2 2
•	Servlet action is currently unavailable
•	Tomcat/Struts Unicode Encoding/Decoding problems
•	Subject: Running a Simple JMS Example
•	Tomcat and webapplication specific java library path
•	Mapping in workers2 properties
•	org apache jasper JasperException
•	problem with html:text bean throwing exception
•	Cannot find message resources under key org apache struts action MESSAGE
•	Cannot find message resources under key org apache struts action MESSAGE
•	invalid direct reference problem with solution
•	Tool for jsp debug Try Sysdeo Eclipse Plugin
•	Tomcat 5 Cannot load JDBC driver class 'null ' SQL state: null
•	weblogic ejbc
•	java properties file
•	Jboss 3 2 3 Coyote Can 't re
•	Tomcat 5, Apache2 and mod jk2 integration problem
•	JBoss example problem new to J2EE
•	Value attribute of <html:checkbox
•	url string for connecting jboss to oracle
•	javax servlet ServletException: BeanUtils populate
•	5 0 18: Windows XP Pro vs Windows 2000
•	HTTP Status 404 The requested resource is not available

Subject: Re: SSL session is the same HTTP session and is the same Servlet session

Subject: Re: SSL session is the same HTTP session and is the same Servlet session

2007-11-03 - By Bill Barker

Back

>"B?rbara Vieira" <barbarasv@(protected)> wrote in message
>news:003501c81e67$75f870e0$61e952a0$@(protected)
>
>
>
>
>This question is about Tomcat's architecture.
>
>When a connection HTTP over SSL(HTTP) is established, Tomcat encapsulates
>this connection in an object - CoyoteConnector. After that, this object is
>transformed in another objects, until it is encapsulated in a HttpRequest
>object. When the connection is encapsulated on a HttpRequest/
>HttpServletRequest, what's happen?!
>
>My question is about SSL session that is established, about HTTP session
>that is in the higher layer, and about session available on Servlet. I want
>to know if the SSL session is the same HTTP session and is the same
>Servlet
>session.
>

No, the SSL session and the HTTP session are completely different and
unrelated. It is possible to get the SSL session ID via the request
attribute "javax.servlet.request.ssl_session" (this is a Tomcat specific
feature, so is not portable). You can use that in a Filter to link the HTTP
session to the SSL session, but that's about it.
>
>
>My concern is about keeping a secure session, even if the SSL session is
>broken. Ie, suppose the following situation:
>
>- An HTTPS connection is established and a HttpServlet session is
>created - the user is authenticated by a certificate(mutual authentication)
>
>
>- I turn off the network - the SSL session is broken(I suppose
>that
>is what's happen)
>
>- When I turn on the network, the user is authenticated because
>the session on server didn't end(there wasn't a timeout yet)
>
>

This is normal, the browser will ask to rejoin its former SSL session and
Tomcat will see no reason why not. And even if there was a new SSL session,
most browsers will treat CLIENT-CERT auth liike BASIC, and quietly resend
the previously selected cert without prompting the user again.

>
>This is a big problem. How can I control this?!
>

Thanks,

B?rbara Vieira

-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)