Hi Chuck, I am referring to invalidate SSL session. My application is using client certificate authentication, the XML-RPC client is using USB token as a keystore during SSL session, we want to force client to re-authenticate with my application on every XML-RPC request to prevent user remove the token during the client execution. The client will run infinitely.
>From the client, I noticed it cached first authenticated SSL session and reuse it for the subsequent calls... Can I invalidate the SSL session on server side? Thank you. Regards, SamKong Goo On 17 March 2010 09:20, Caldarale, Charles R <chuck.caldar...@unisys.com> wrote: >> From: Goo Sam Kong [mailto:skgo...@gmail.com] >> Subject: How to set SSL session timeout in Tomcat 5.5.16 >> >> May I know how to set the SSL session timeout in Tomcat 5.5.16. > > The session timeout value is independent of the session security, and set by > the <session-timeout> value in the webapp's WEB-INF/web.xml file or > programatically. See the servlet spec for details. > > BTW, your tomcat version is four years old - you should seriously consider > moving up to a newer version that contains numerous fixes, including > security-related ones. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org