Chuck, Thanks for your prompt response. > Invalidate the session after every request - but only if you really want to > annoy your users.
which session ? Is there somehow I can invalidate SSLSession ? I tried invalidating httpsession but that didnt work. I put a trace to make sure that browser is not automatically sending the cached client cert. Also, in a deployment where if a machine is shared by multiple users and user1 forgets to close the browser before leaving, the user can log right in as user1. ________________________________ From: "Caldarale, Charles R" <[EMAIL PROTECTED]> To: Tomcat Users List <users@tomcat.apache.org> Sent: Friday, October 24, 2008 12:14:45 PM Subject: RE: Force getting Client Cert from browser > From: atul [mailto:[EMAIL PROTECTED] > Subject: Force getting Client Cert from browser > > Tomcat never initiates ssl renegotiation - probably because > it hangs onto sslsocket and sslsession object for performance. No - it's because the *browser* uses the same sessionid and connection. Nothing Tomcat can do about that. > Is there anyway we can effect tomcat to forcefully > renegotiate ssl for client cert ? Invalidate the session after every request - but only if you really want to annoy your users. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
