Do you think that it would be smart and/or desirable to 'enforce' the
check for all people that use sessions with SSL? In other words, if you
have a TC session, and you're running things over SSL, we enforce the TC
session ID and SSL session ID match.
If there are security experts out there
Is the request attribute javax.servlet.request.ssl_session
(in TC 3.3)
a 'standard' attribute that keeps the SSL session ID? Is there a spec
that defines it?
No, it's not on the specs and even if you find this information
on some servers (Apache + mod_ssl for example), there is
still some web
