Hi. We are developing a java-based webapp, a kind of CMS. The problem is, that relatively big group of it's users will have rights to create pages, upload files etc., also upload javascript pages. In this case an attacker will be able to steal somebody's session (e.g. creating JS page which will read JSESSIONID cookie and forward it to it's author).
We thought, that one of possible solutions will be binding user's session to SSL_SESSION_ID (i.e. keeping SSL_SESSION_ID in user's session and comparing it at every request with ID read from this request). The problem is, that SSL_SESSION_ID is changing regardles of SSLSessionCacheTimeout (we've set it to very high value). I suppose that it's not caused by server (mod_ssl after writing SESSION_ID to cache is able to get it back everytime, 100% hit rate). Is there any reason for which the ssl sessions are renegotiated (sometimes even three times during one minute)? Is it possible to block such a renegotiations at server/application side, or it is very browser-dependent? T.I.A. R. -- "First they ignore you. Then they laugh at you. Then they fight you. Then you win." - Mohandas Gandhi. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]