I am using Tomcat 5.5 in combination with a HTTP-connector that is
configured with TLS and client-authentication. Users log in to my web
application with a client certificate from a smartcard.
When users try to log out, the HTTP-session is invalidated but the
SSL-session key remains valid for quite a while, enabling users to simply go
back to the application even after they have removed the smartcard.
I have looked for a way to invalidate the SSL-session when a user logs off
but nothing seems to work. The SSL session key is availllable in the request
(javax.servlet.request.ssl_session) but I can't find a way to access the
corresponding SSL-session programatically. The SSLSessionContext has a
method to get a particular session based on the session-id, but that doesn't
seem work.
Is there some other way to invalidate the SSL-session from my web
application?
Gert-Jan
_________________________________________________________________
Eindeloos zoeken naar dat ene document is nu voorbij! http://desktop.msn.nl
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
