i should make myself clearer, i guess...
i'm trying to close a SSL connection, in case someone wants to use another
certificate
for a webpage that uses client-cert as authentication method.
i know how to close a session, tanks. what i dont't know, how to invalidate a
SSLSession.
apparently there is one, i can get it's id with
request.getAttribute("javax.servlet.request.ssl_session")
and also apparently it is not enough to do session.invalidate(), why? because i
have it in a logout.jsp
that redirects to my index.jsp. now if the SSL Connection would have been
invalidated, i should be
asked to choose a certificate from my browser certs, which i'm not, after
passing my logout.jsp
i'm still logged in, i even have a request.setHeader("connection", "close") in
my logout jsp, which
doesn't help either (i have read that the header thing might be interpreted
more as guideline for the browser
and not necessarily close all connections).
in tomcat7 there's the possibility to use SSLSessionManager to invalidate
SSLSession, so i'm doing a
wild guess, that something similar has to be possible with tomcat6 as well.
so the overall workflow would be
1. first hit of index.jsp
2. i'm asked to choose a browser cert
3. i log in with a browser cert
4. i hit the logout button, which makes an ajax request to logout.jsp
5. in logout.jsp i invalidate the normal HTTPSession and set the connection
header to "close"
=> here some is missing to invalidate the SSLSession
6. in case of success of the logout-ajax request, i'm taken to index.jsp
(now start over from point 1. again)
only i'm not asked for a cert the second time, which is exactly what i want
to achieve... and before you asked : i don't want to switch to tomcat7 for this
but need it get done in tomcat-6.0.32
any help really appreciated
wkr turnguard
----- Original Message -----
From: "baran topal" <jazziiil...@gmail.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Tuesday, September 6, 2011 10:57:17 PM
Subject: Re: SSLSession invalidate
Greetings from Stockholm, this is Baran Topal.
As i was drinking my Guiness, i find your question interesting :)
Here you go:
<%
HttpSession s = request.getSession(false);
if (s != null) s.invalidate();
%>
Inform me whether this is working or not :)
Regards.
On 6 sep 2011, at 22:09, Chema <demablo...@gmail.com> wrote:
>> how can access the SSLSession in a jsp or a servlet
>> to be able to invalidate it.
>
> Sorry, but
>
> is there any difference between to invalidate a HTTP Session and a
> SSLSession ?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
| Jürgen Jakobitsch,
| Software Developer
| Semantic Web Company GmbH
| Mariahilfer Straße 70 / Neubaugasse 1, Top 8
| A - 1070 Wien, Austria
| Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
COMPANY INFORMATION
| http://www.semantic-web.at/
PERSONAL INFORMATION
| web : http://www.turnguard.com
| foaf : http://www.turnguard.com/turnguard
| skype : jakobitsch-punkt
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
