Re: SSLSession invalidate
On 15 Sep 2011, at 23:30, Peter wrote:
> A connection is streaming a video, when you "logout" of it's session.
>
> What happens?
I have not tried it. I'll put up some code in Java so you can try it out soon.
>
> The browser caches img files retrived from on the same server path as the
> application to which then one sends an ssl "logout signal". A browser plugin
> references the https uri of the image.
>
> Does the cache release the image, collected over a session that is now closed?
>
> Sent from my iPhone
>
> On Sep 15, 2011, at 1:23 AM, Henry Story wrote:
>
>> You can break TLS sessions once you have the session_id. I tried this in
>> Clerezza (an apache incubator project) to see if I could get something like
>> a logout functionality to work. I even tried to see if breaking a connection
>> and throwing one of the exceptions that TLS defines would force the browser
>> to ask the user for another certificate, but it does not work - or only
>> quite randomly in most browsers.
>>
>> https://github.com/bblfish/clerezza/blob/bblfish/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/ssl/X509TrustManagerWrapperService.scala
>>
>> I think it is a bug that they don't react properly to the defined exceptions
>> being thrown.
>>
>> What does work for Firefox and I think IE (Not tested yet, please let me
>> know) is the following javascript logout:
>>
>> function logout(elem) {
>> if (document.all == null) {
>> if (window.crypto) {
>> try{
>> window.crypto.logout();
>> return false; //firefox ok -- no need to follow the link
>> } catch (err) {//Safari, Opera, Chrome -- try with tis session
>> breaking
>> }
>> } else { //also try with session breaking
>> }
>> } else { // MSIE 6+
>> document.execCommand('ClearAuthenticationCache');
>> return false;
>> };
>> return true
>> }
>>
>> function login(elem) { logout(elem) }
>>
>> -
>>
>> Then you can just put the following html in your page
>>
>> Joe|> onclick="return logout();">logout
>>
>> I have added this to the foaf+ssl (WebID protocol) wiki
>> http://www.w3.org/wiki/Foaf%2Bssl/HOWTO#HOWTO_logout
>>
>> Henry
>>
>> On 7 Sep 2011, at 00:29, Adamus, Steven J. wrote:
>>
>>> Don't assume your SSL session or connection hasn't been invalidated just
>>> because you aren't asked to choose a certificate from your browser certs
>>> when you log in again. In our system (Tomcat 5.5.33), I know that our HTTP
>>> session and Single Sign-on session are invalidated upon logout, and we see
>>> similar behavior (no need to select certificate) upon re-login because the
>>> browser caches the user's certificate choice (and smart card PIN). Is your
>>> session ID the same when you go back in?
>>>
>>> If you are using IE and you want to clear the browser cache to select
>>> another certificate, go to Tools->Internet Options, select Content tab, and
>>> click Clear SSL state.
>>>
>>> -Original Message-
>>> From: users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org
>>> [mailto:users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On
>>> Behalf Of Jürgen Jakobitsch
>>> Sent: Tuesday, September 06, 2011 3:12 PM
>>> To: Tomcat Users List
>>> Subject: Re: SSLSession invalidate
>>>
>>> thanks mark,
>>>
>>> if i understand you correct, it is simply NOT possible to invalidate the
>>> SSLSession of which i can get the id with
>>> request.getAttribute("javax.servlet.request.ssl_session")
>>> (it works with this key in 6.0.32)
>>>
>>> wkr turnguard
>>>
>>> - Original Message -
>>> From: "Mark Thomas"
>>> To: "Tomcat Users List"
>>> Sent: Wednesday, September 7, 2011 12:08:29 AM
>>> Subject: Re: SSLSession invalidate
>>>
>>> On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
>>>> apparently there is one, i can get it's id with
>>>> request.getAttribute("javax.servlet.request.ssl_session")
>>>
>>> That is a Tomcat bug it should be javax.servlet.request.ssl_session_id
>>>
>>>> in tomcat7 there's the possibility to use SSLSessionManager to
>>&g
Re: SSLSession invalidate
You can break TLS sessions once you have the session_id. I tried this in
Clerezza (an apache incubator project) to see if I could get something like a
logout functionality to work. I even tried to see if breaking a connection and
throwing one of the exceptions that TLS defines would force the browser to ask
the user for another certificate, but it does not work - or only quite randomly
in most browsers.
https://github.com/bblfish/clerezza/blob/bblfish/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/ssl/X509TrustManagerWrapperService.scala
I think it is a bug that they don't react properly to the defined exceptions
being thrown.
What does work for Firefox and I think IE (Not tested yet, please let me know)
is the following javascript logout:
function logout(elem) {
if (document.all == null) {
if (window.crypto) {
try{
window.crypto.logout();
return false; //firefox ok -- no need to follow the link
} catch (err) {//Safari, Opera, Chrome -- try with tis session
breaking
}
} else { //also try with session breaking
}
} else { // MSIE 6+
document.execCommand('ClearAuthenticationCache');
return false;
};
return true
}
function login(elem) { logout(elem) }
-
Then you can just put the following html in your page
Joe|logout
I have added this to the foaf+ssl (WebID protocol) wiki
http://www.w3.org/wiki/Foaf%2Bssl/HOWTO#HOWTO_logout
Henry
On 7 Sep 2011, at 00:29, Adamus, Steven J. wrote:
> Don't assume your SSL session or connection hasn't been invalidated just
> because you aren't asked to choose a certificate from your browser certs when
> you log in again. In our system (Tomcat 5.5.33), I know that our HTTP
> session and Single Sign-on session are invalidated upon logout, and we see
> similar behavior (no need to select certificate) upon re-login because the
> browser caches the user's certificate choice (and smart card PIN). Is your
> session ID the same when you go back in?
>
> If you are using IE and you want to clear the browser cache to select another
> certificate, go to Tools->Internet Options, select Content tab, and click
> Clear SSL state.
>
> -Original Message-
> From: users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org
> [mailto:users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On
> Behalf Of Jürgen Jakobitsch
> Sent: Tuesday, September 06, 2011 3:12 PM
> To: Tomcat Users List
> Subject: Re: SSLSession invalidate
>
> thanks mark,
>
> if i understand you correct, it is simply NOT possible to invalidate the
> SSLSession of which i can get the id with
> request.getAttribute("javax.servlet.request.ssl_session")
> (it works with this key in 6.0.32)
>
> wkr turnguard
>
> - Original Message -----
> From: "Mark Thomas"
> To: "Tomcat Users List"
> Sent: Wednesday, September 7, 2011 12:08:29 AM
> Subject: Re: SSLSession invalidate
>
> On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
>> apparently there is one, i can get it's id with
>> request.getAttribute("javax.servlet.request.ssl_session")
>
> That is a Tomcat bug it should be javax.servlet.request.ssl_session_id
>
>> in tomcat7 there's the possibility to use SSLSessionManager to
>> invalidate SSLSession, so i'm doing a wild guess, that something similar has
>> to be possible with tomcat6 as well.
>
> Your wild guess is wrong. That feature is in Tomcat 7 onwards.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> --
> | Jürgen Jakobitsch,
> | Software Developer
> | Semantic Web Company GmbH
> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria
> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>
> COMPANY INFORMATION
> | http://www.semantic-web.at/
>
> PERSONAL INFORMATION
> | web : http://www.turnguard.com
> | foaf : http://www.turnguard.com/turnguard
> | skype : jakobitsch-punkt
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
Social Web Architect
http://bblfish.net/
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLSession invalidate
Don't assume your SSL session or connection hasn't been invalidated just
because you aren't asked to choose a certificate from your browser certs when
you log in again. In our system (Tomcat 5.5.33), I know that our HTTP session
and Single Sign-on session are invalidated upon logout, and we see similar
behavior (no need to select certificate) upon re-login because the browser
caches the user's certificate choice (and smart card PIN). Is your session ID
the same when you go back in?
If you are using IE and you want to clear the browser cache to select another
certificate, go to Tools->Internet Options, select Content tab, and click Clear
SSL state.
-Original Message-
From: users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org
[mailto:users-return-227483-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On
Behalf Of Jürgen Jakobitsch
Sent: Tuesday, September 06, 2011 3:12 PM
To: Tomcat Users List
Subject: Re: SSLSession invalidate
thanks mark,
if i understand you correct, it is simply NOT possible to invalidate the
SSLSession of which i can get the id with
request.getAttribute("javax.servlet.request.ssl_session")
(it works with this key in 6.0.32)
wkr turnguard
- Original Message -
From: "Mark Thomas"
To: "Tomcat Users List"
Sent: Wednesday, September 7, 2011 12:08:29 AM
Subject: Re: SSLSession invalidate
On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
> apparently there is one, i can get it's id with
> request.getAttribute("javax.servlet.request.ssl_session")
That is a Tomcat bug it should be javax.servlet.request.ssl_session_id
> in tomcat7 there's the possibility to use SSLSessionManager to
> invalidate SSLSession, so i'm doing a wild guess, that something similar has
> to be possible with tomcat6 as well.
Your wild guess is wrong. That feature is in Tomcat 7 onwards.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
| Jürgen Jakobitsch,
| Software Developer
| Semantic Web Company GmbH
| Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria
| Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
COMPANY INFORMATION
| http://www.semantic-web.at/
PERSONAL INFORMATION
| web : http://www.turnguard.com
| foaf : http://www.turnguard.com/turnguard
| skype : jakobitsch-punkt
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLSession invalidate
thanks mark,
if i understand you correct, it is simply NOT possible to invalidate
the SSLSession of which i can get the id with
request.getAttribute("javax.servlet.request.ssl_session")
(it works with this key in 6.0.32)
wkr turnguard
- Original Message -
From: "Mark Thomas"
To: "Tomcat Users List"
Sent: Wednesday, September 7, 2011 12:08:29 AM
Subject: Re: SSLSession invalidate
On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
> apparently there is one, i can get it's id with
> request.getAttribute("javax.servlet.request.ssl_session")
That is a Tomcat bug it should be javax.servlet.request.ssl_session_id
> in tomcat7 there's the possibility to use SSLSessionManager to invalidate
> SSLSession, so i'm doing a
> wild guess, that something similar has to be possible with tomcat6 as well.
Your wild guess is wrong. That feature is in Tomcat 7 onwards.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
| Jürgen Jakobitsch,
| Software Developer
| Semantic Web Company GmbH
| Mariahilfer Straße 70 / Neubaugasse 1, Top 8
| A - 1070 Wien, Austria
| Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
COMPANY INFORMATION
| http://www.semantic-web.at/
PERSONAL INFORMATION
| web : http://www.turnguard.com
| foaf : http://www.turnguard.com/turnguard
| skype : jakobitsch-punkt
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLSession invalidate
On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
> apparently there is one, i can get it's id with
> request.getAttribute("javax.servlet.request.ssl_session")
That is a Tomcat bug it should be javax.servlet.request.ssl_session_id
> in tomcat7 there's the possibility to use SSLSessionManager to invalidate
> SSLSession, so i'm doing a
> wild guess, that something similar has to be possible with tomcat6 as well.
Your wild guess is wrong. That feature is in Tomcat 7 onwards.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLSession invalidate
i should make myself clearer, i guess...
i'm trying to close a SSL connection, in case someone wants to use another
certificate
for a webpage that uses client-cert as authentication method.
i know how to close a session, tanks. what i dont't know, how to invalidate a
SSLSession.
apparently there is one, i can get it's id with
request.getAttribute("javax.servlet.request.ssl_session")
and also apparently it is not enough to do session.invalidate(), why? because i
have it in a logout.jsp
that redirects to my index.jsp. now if the SSL Connection would have been
invalidated, i should be
asked to choose a certificate from my browser certs, which i'm not, after
passing my logout.jsp
i'm still logged in, i even have a request.setHeader("connection", "close") in
my logout jsp, which
doesn't help either (i have read that the header thing might be interpreted
more as guideline for the browser
and not necessarily close all connections).
in tomcat7 there's the possibility to use SSLSessionManager to invalidate
SSLSession, so i'm doing a
wild guess, that something similar has to be possible with tomcat6 as well.
so the overall workflow would be
1. first hit of index.jsp
2. i'm asked to choose a browser cert
3. i log in with a browser cert
4. i hit the logout button, which makes an ajax request to logout.jsp
5. in logout.jsp i invalidate the normal HTTPSession and set the connection
header to "close"
=> here some is missing to invalidate the SSLSession
6. in case of success of the logout-ajax request, i'm taken to index.jsp
(now start over from point 1. again)
only i'm not asked for a cert the second time, which is exactly what i want
to achieve... and before you asked : i don't want to switch to tomcat7 for this
but need it get done in tomcat-6.0.32
any help really appreciated
wkr turnguard
- Original Message -
From: "baran topal"
To: "Tomcat Users List"
Sent: Tuesday, September 6, 2011 10:57:17 PM
Subject: Re: SSLSession invalidate
Greetings from Stockholm, this is Baran Topal.
As i was drinking my Guiness, i find your question interesting :)
Here you go:
<%
HttpSession s = request.getSession(false);
if (s != null) s.invalidate();
%>
Inform me whether this is working or not :)
Regards.
On 6 sep 2011, at 22:09, Chema wrote:
>> how can access the SSLSession in a jsp or a servlet
>> to be able to invalidate it.
>
> Sorry, but
>
> is there any difference between to invalidate a HTTP Session and a
> SSLSession ?
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
| Jürgen Jakobitsch,
| Software Developer
| Semantic Web Company GmbH
| Mariahilfer Straße 70 / Neubaugasse 1, Top 8
| A - 1070 Wien, Austria
| Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
COMPANY INFORMATION
| http://www.semantic-web.at/
PERSONAL INFORMATION
| web : http://www.turnguard.com
| foaf : http://www.turnguard.com/turnguard
| skype : jakobitsch-punkt
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLSession invalidate
Greetings from Stockholm, this is Baran Topal. As i was drinking my Guiness, i find your question interesting :) Here you go: <% HttpSession s = request.getSession(false); if (s != null) s.invalidate(); %> Inform me whether this is working or not :) Regards. On 6 sep 2011, at 22:09, Chema wrote: >> how can access the SSLSession in a jsp or a servlet >> to be able to invalidate it. > > Sorry, but > > is there any difference between to invalidate a HTTP Session and a > SSLSession ? > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLSession invalidate
> how can access the SSLSession in a jsp or a servlet > to be able to invalidate it. Sorry, but is there any difference between to invalidate a HTTP Session and a SSLSession ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSLSession invalidate
hi, i'm pretty sure, this question has been asked a thouthand times, but i didn't find an answer : how can access the SSLSession in a jsp or a servlet to be able to invalidate it. any pointer really appreciated wkr www.turnguard.com/turnguard -- | Jürgen Jakobitsch, | Software Developer | Semantic Web Company GmbH | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 | A - 1070 Wien, Austria | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22 COMPANY INFORMATION | http://www.semantic-web.at/ PERSONAL INFORMATION | web : http://www.turnguard.com | foaf : http://www.turnguard.com/turnguard | skype : jakobitsch-punkt - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
