Hi Chuck, I am referring to invalidate SSL session. My application is using client certificate authentication, the XML-RPC client is using USB token as a keystore during SSL session, we want to force client to re-authenticate with my application on every XML-RPC request to prevent user remove the token during the client execution. The client will run infinitely.
>From the client, I noticed it cached first authenticated SSL session and reuse it for the subsequent calls... Can I invalidate the SSL session on server side? Thank you. Regards, SamKong Goo On 17 March 2010 09:20, Caldarale, Charles R <[email protected]> wrote: >> From: Goo Sam Kong [mailto:[email protected]] >> Subject: How to set SSL session timeout in Tomcat 5.5.16 >> >> May I know how to set the SSL session timeout in Tomcat 5.5.16. > > The session timeout value is independent of the session security, and set by > the <session-timeout> value in the webapp's WEB-INF/web.xml file or > programatically. See the servlet spec for details. > > BTW, your tomcat version is four years old - you should seriously consider > moving up to a newer version that contains numerous fixes, including > security-related ones. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
