Re: Session Caching

Fri, 12 May 2000 16:41:31 -0700 

I think he's confused.

The browser will re-use the last -credentials- (username and password)
supplied, until the browser is closed.  (This is expected behavior on the 
HTTP layer, as the browsers are expected to cache the username and
password.)  This is completely independent of the SSL session, which is
following the 'SSLSessionCache none' rule.

The only way to fix this would be to set up a cookie that times out, along
with requiring a different authentication system (not Basic
authentication).

---
Mat Butler, Winged Wolf                       <[EMAIL PROTECTED]>
SPASTIC Web Engineer                  SPASTIC Server Administrator
----Begin FurryCode v1.3----
FCWw5amrsw A- C+ D H+++ M+++++[servercoder] P+ R++ T+++ W Z++ Sm++ 
RLCT/M*/LW* a cl/u/v++++>+++++ !d e- f>++++ h++ iwf+++ j p->+ sm++
----End FurryCode v1.3----


On Fri, 12 May 2000, Jacob Cohen wrote:

> I believe OpenSSL also maintains an internal session cache. If it finds
> the session there, it won't even call the mod_ssl retrieve callback.
> You can probably configure OpenSSL to not cache, or at least edit the
> session cache timeout it has to something like 1 second, in
> openssl-ver/ssl/ssl-sess.c
> 
> J.
> 
> >I want to turn off session caching so that everytime I request a
> >secure page I do the ssl handshake.  I set SSLSessionCache none, but
> >it I leave my secure site and then come back it never does the secure
> >handshake again it always reuses the previous session.  It does this
> >both with IE and Netscape.
> >The only way to get it to initiate another session is to close the
> >browser.
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
> 
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      [EMAIL PROTECTED]
> Automated List Manager                            [EMAIL PROTECTED]
> 

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to