Nothing is going on. When the smartcard is removed, nothing goes across the wire, so how could Tomcat possibly invalidate the session?
-----Original Message----- From: users-return-239719-STEVEN.J.ADAMUS=saic....@tomcat.apache.org [mailto:users-return-239719-STEVEN.J.ADAMUS=saic....@tomcat.apache.org] On Behalf Of Mark Thomas Sent: Wednesday, February 13, 2013 11:36 AM To: Tomcat Users List Subject: Re: SSL Session Caching On 13/02/2013 18:49, Will Nordmeyer wrote: > I have a scenario right now I need help with. > > My Tomcat is configured for SSL, client certificate authorization and > Certificate Revocation List checking (all outside certificates). > > We have a scenario (we've found in testing) where we do a transaction > in our application, then the user pulls his smart card out (client > certificate) and a new user comes up and puts his card in. Tomcat > isn't recognizing that a new certificate is in place and is allowing > the new user, with the new certificate to transact without validating > his credentials. > > It appears as if the old session is being utilized still by the client > (windows or unix, firefox or IE) and Tomcat. Which seems very odd. > > I would have expected the new cert would have forced a new SSL session > to be created and tomcat to puke at an attempt to submit a transaction > on the old session. > > Any thoughts/advice/guidance? Use wireshark. If you provide it with your server's private key (should be doable in a test environment) you'll be able to see exactly what is (or isn't) going on. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org