Stefan Meissner wrote: >> What I'm still not clear about is what you're trying to do with it here >> (I don't how well you know SSL/TLS). Whether with Restlets or Servlets, >> it doesn't seem right to use that for maintaining some sort of >> application session. > > As you may have noticed I'm a newbie in all the fields you just mentioned ;) > > The use case I have in mind is like this: > http://forums.java.net/jive/message.jspa?messageID=279268
Leaving aside the fact that on a REST-related list you won't necessarily find much advocacy for sessions... Using the SSL session ID as a session identifier for whatever your application is going to do is generally not a good idea. SSL sessions have a usually short life-time (10-15 minutes, depending on the configuration). The HTTP layer is oblivious to what's happening in terms of SSL sessions: the browser and the server will resume/invalidate them as it sees fit, more or less independently of what's going on in HTTP terms. Best wishes, Bruno. ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2452184
