This question is about Tomcats architecture.
When a connection HTTP over SSL(HTTP) is established, Tomcat encapsulates
this connection in an object CoyoteConnector. After that, this object is
transformed in another objects, until it is encapsulated in a HttpRequest
object. When the connection is encapsulated on a HttpRequest/
HttpServletRequest, whats happen?!
My question is about SSL session that is established, about HTTP session
that is in the higher layer, and about session available on Servlet. I want
to know if the SSL session is the same HTTP session and is the same Servlet
session.
My concern is about keeping a secure session, even if the SSL session is
broken. Ie, suppose the following situation:
- An HTTPS connection is established and a HttpServlet session is
created the user is authenticated by a certificate(mutual authentication)
- I turn off the network the SSL session is broken(I suppose that
is whats happen)
- When I turn on the network, the user is authenticated because
the session on server didnt end(there wasnt a timeout yet)
This is a big problem. How can I control this?!
Thanks,
Bárbara Vieira
