I am considering using SSL_SESSION_IDs as part of my
authentication/session management scheme. (Using Apache, mod_ssl, PHP

However, the fact that for example Internet Explorer forces renogiate of
the SSL session (every 2 minutes) causes problems to the session
management. Is there any way to know (interact with apache mod_ssl) when
the renogiation is done.

By example, the goal would be to know within PHP if the newly renegotiated
SSL_SESSION_ID 123671253761253765123765312 is continuation to the previous
SSL_SESSION_ID for the logged-in user or to notice if the SSL session is
comptely fresh and new and does not have anything to do with previous

If I understood the SSL documentation correctly, this should be possible
as I understood that there is some "inheritance" in the renogotiation. Or
am I completely lost here and the SSL session is built "from scratch" upon

If this little :) problem could be avoided, this would provide a pretty
trustable add-on to authentication and session management. 

Any input? 

Jussi Kallioniemi  <[EMAIL PROTECTED]>  http://www.cyberian.org/
PGP http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF462C77A

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to