warper wrote: > Currently I am testing a PKCS#11 module. This module has been tested > with Netscape 4.7x before trying Netscape 7.0, Mozilla 1.1, 1.2 and the > latest nightly build. > > With Netscape 4.79 [snip] no problems arise when I use Client > Authentication with [snip] SmartCard solution. However with > any of the latest Mozilla powered browsers the client authentication is > performed for every item on the secure page. > > [snip] For a SmartCard solution > however, this is not the case: the user is requested to enter his/her > PIN for every item (or is it HTTP connection/reques?) made.
When a user authenticates to a remote server using a local PKCS 11 device, and then either logs out of the device or removes the device, NSS/mozilla will no longer allow the authenticated SSL session to be reused or restarted. Any subsequent attempt to use an authenticated SSL session that was originally authenticated with the smart card will require reauthentication. That means the user will have to reinsert his card and login again. This is intended to make it so that when a user takes his smart card and leaves, someone else cannot sit down at his computer and continue to use his authenticated session, pretending to be the authenticated user. Communicator did not check that the card is still present and still logged in as often as mozilla does, and that was seen as a bug. Mozilla checks for each SSL connection. I think it may even check for each http request. The way that NSS checks to see if the card is still present and logged in is by calling C_GetSessionInfo and examining sessionInfo.state. If the call fails, or returns one of the "PUBLIC" session states, then the card has been logged out or removed. So, based on your description, I'd guess your module is returning a public session state when queried for each http request. -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
