Hi Chuck, Thank you for your quick response.
May I know how to get the protected HttpSession object in Spring controller/servlet? I used HttpRequest.getSession.invalidate() but can not force re-authentication. I tried maxKeepAliveRequests="1" attribute in HTTPS connector too, but can not force re-authentication. May I know how you do it? In this thread (http://old.nabble.com/Force-getting-Client-Cert-from-browser-td20155194.html), Bill Barker-2 mentioned Tomcat can not force re-authentication. Is that correct? Thank you. Regards, SamKong Goo On 17 March 2010 11:47, Caldarale, Charles R <[email protected]> wrote: >> From: Goo Sam Kong [mailto:[email protected]] >> Subject: Re: How to set SSL session timeout in Tomcat 5.5.16 >> >> I attempted that, that is HTTP Session not SSL session. > > Depending on how your webapp is configured, you may have two HttpSession > objects - one protected, and one not. Make sure you're invalidating the > protected session from servlet code associated with a protected resource, not > from an unprotected reference. > > You could also turn off keep-alives in the HTTPS <Connector> (set > maxKeepAliveRequests="1"). Renegotiating the SSL handshake on each request > might be a noticeable performance hit, however. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
