I am initiating client ssl in my webapp by requesting attr org.apache.coyote.request.X509Certificate User is prompted for the client cert at the browser and logs in just fine. When the user logs out, we invalidate the Http session. However, when the user tries to access another protected resource using same browser window (without closing), he gets right in. Tomcat never initiates ssl renegotiation - probably because it hangs onto sslsocket and sslsession object for performance. Is there anyway we can effect tomcat to forcefully renegotiate ssl for client cert ? Is there anyway application can get the SSLSocket and do a close on it ? Or destroy SSLSession object ? I tried sending http Connection: Close on the response with no success. Is there any other way to effect this ? I am using Tomcat 5.5 with Java 1.6_07. Any prompt help is really appreciated! Thanks
