On Wed, Apr 12, 2000 at 07:44:35AM -0700, Jacob Cohen wrote:
> I am trying to determine a good length for SSL Session timeouts. It appears
> the default cache length is 5 minutues, but if the session is reused within
> those five minutes, its timeout is renewed to five minutes, and so on.
Yep, as set by the directive SSLSessionCacheTimeout.
>
> What I can't find is whether there is a global maximum number of
> times/length of time you can use a given SSL session, and/or where to set
> that. It might be browser-specific, I don't know.
On the server side you can set a maximum time with SSLSessionCacheTimeout,
but different clients have their own settings:
Netscape: Defaults is as long as the browser is open, but it can be set to
immediate expiry or x minutes (Security/Passwords)
IE4+5: ~2 minutes
IE% on w2K: somebody said ~ 1 hour.
>
> Is it possible to set the maximum length that a SSL session can live? say
> one hour, with expiry in the default 5 minutes if no reuse?
>
AFAIK not without hacking the mod_ssl code - is there any specific reason
that you want to do this?
vh
Mads Toftum
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
