On Tue, Sep 12, 2000 at 10:02:57AM +1000, [EMAIL PROTECTED] wrote:
>
> Is there anyone here that is successfully using client certificates, to
> provide automatic validation, logons and session management. In fact is
> there anyone that has got one of the above working reliably.
Yep.
>
> It seems to me that the client software built into the browsers (mostly IE)
> for SSL with client certificates is broken. It is my understanding that
> once an SSL session is created that it should keep the same SSL session and
> resultant session ID (which we are trying to use for tracking a session,
> coincidentally) but it seems that it doesn't work.
You can't expect a session to live for any specified length of time -
both IE and Netscape have their own ideas about how long a session should
live. Reusing sessions is more a way of increasing performance than to
track "web-sessions". Use the certificate content for establishing identity
and maybe combine it with a standard session management system for
increased performance.
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]