>"Bárbara Vieira" <[EMAIL PROTECTED]> wrote in message >news:[EMAIL PROTECTED] > > > > >This question is about Tomcat's architecture. > >When a connection HTTP over SSL(HTTP) is established, Tomcat encapsulates >this connection in an object - CoyoteConnector. After that, this object is >transformed in another objects, until it is encapsulated in a HttpRequest >object. When the connection is encapsulated on a HttpRequest/ >HttpServletRequest, what's happen?! > >My question is about SSL session that is established, about HTTP session >that is in the higher layer, and about session available on Servlet. I want >to know if the SSL session is the same HTTP session and is the same >Servlet >session. >
No, the SSL session and the HTTP session are completely different and unrelated. It is possible to get the SSL session ID via the request attribute "javax.servlet.request.ssl_session" (this is a Tomcat specific feature, so is not portable). You can use that in a Filter to link the HTTP session to the SSL session, but that's about it. > > >My concern is about keeping a secure session, even if the SSL session is >broken. Ie, suppose the following situation: > >- An HTTPS connection is established and a HttpServlet session is >created - the user is authenticated by a certificate(mutual authentication) > > >- I turn off the network - the SSL session is broken(I suppose >that >is what's happen) > >- When I turn on the network, the user is authenticated because >the session on server didn't end(there wasn't a timeout yet) > > This is normal, the browser will ask to rejoin its former SSL session and Tomcat will see no reason why not. And even if there was a new SSL session, most browsers will treat CLIENT-CERT auth liike BASIC, and quietly resend the previously selected cert without prompting the user again. > >This is a big problem. How can I control this?! > Thanks, Bárbara Vieira --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
