I have a scenario right now I need help with. My Tomcat is configured for SSL, client certificate authorization and Certificate Revocation List checking (all outside certificates).
We have a scenario (we've found in testing) where we do a transaction in our application, then the user pulls his smart card out (client certificate) and a new user comes up and puts his card in. Tomcat isn't recognizing that a new certificate is in place and is allowing the new user, with the new certificate to transact without validating his credentials. It appears as if the old session is being utilized still by the client (windows or unix, firefox or IE) and Tomcat. Which seems very odd. I would have expected the new cert would have forced a new SSL session to be created and tomcat to puke at an attempt to submit a transaction on the old session. Any thoughts/advice/guidance? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org