Denny Lee <[EMAIL PROTECTED]> writes:
> Is there a relatively easy way for me to obtain the SSL session ID via
> Perl/CGI ? I wanted to refer to that session id to help me validate the
> user that is logging into the web site. Any help will be greatly
> appreciated - including being told that I don't know what I'm talking about
Please see:
http://www.modssl.org/docs/2.6/ssl_reference.html#ToC21
http://www.modssl.org/docs/2.6/ssl_reference.html#ToC25
I wouldn't rely on this solely. IE has a nasty habit of ALWAY re-negotiating
every two minutes[1]. I would do something like:
set_session {
session = read SSL session id from SSL_SESSION_ID environment variable;
create MY_SESSION cookie using session;
}
get_session {
session = read value from MY_SESSION cookie;
return session;
}
And depending upon you level of paranoia, the value of this cookie could be
the hash of the the SSL session id, a secret, and the client's IP
addr. Whether or not this is the best combination, I dunno.
-Tom
[1] This appears to have been bumped up to two hours under W2K.
--
Tom Vaughan <tvaughan at aventail dot com>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
