Hi, I've just submitted a patch: http://restlet.tigris.org/issues/show_bug.cgi?id=1050
It can be useful for some applications to have access to the TLS session ID. (This could possibly be used by some ongoing FOAF+SSL work for example.) Regarding the use of SSL session ID for maintaining session, this discussion should be of interest: https://issues.apache.org/bugzilla/show_bug.cgi?id=22679 Basically, nothing even guarantees that the same session ID will be used for multiple requests (it's not just about those 10-15 minutes). In addition, what RFC2818 <http://tools.ietf.org/html/rfc2818> says about (TLS) sessions is: - "Note that an implementation which does this MAY choose to reuse the session. [...]" - "It MAY resume a TLS session closed in this fashion." - "Servers SHOULD be willing to resume TLS sessions closed in this fashion." - "As specified in [RFC2246], any implementation which receives a connection close without first receiving a valid closure alert (a "premature close") MUST NOT reuse that session." It's quoted out of context, but they're all MAYs and SHOULDs (except about invalidating the session), which implies very little in terms of what can be expected from the session ID, regarding application session management. Best wishes, Bruno. Stefan Meissner wrote: > Ok Bruno, thanks for your assessement. > > I'll forward your expert's opinion to the architect who gave me this task :) > > But generally 10-15 minutes life-time of the session would be sufficient for > my use-case. > > best regards > Stefan > > ------------------------------------------------------ > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2452215 > ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2454411
