i should make myself clearer, i guess... i'm trying to close a SSL connection, in case someone wants to use another certificate for a webpage that uses client-cert as authentication method.
i know how to close a session, tanks. what i dont't know, how to invalidate a SSLSession. apparently there is one, i can get it's id with request.getAttribute("javax.servlet.request.ssl_session") and also apparently it is not enough to do session.invalidate(), why? because i have it in a logout.jsp that redirects to my index.jsp. now if the SSL Connection would have been invalidated, i should be asked to choose a certificate from my browser certs, which i'm not, after passing my logout.jsp i'm still logged in, i even have a request.setHeader("connection", "close") in my logout jsp, which doesn't help either (i have read that the header thing might be interpreted more as guideline for the browser and not necessarily close all connections). in tomcat7 there's the possibility to use SSLSessionManager to invalidate SSLSession, so i'm doing a wild guess, that something similar has to be possible with tomcat6 as well. so the overall workflow would be 1. first hit of index.jsp 2. i'm asked to choose a browser cert 3. i log in with a browser cert 4. i hit the logout button, which makes an ajax request to logout.jsp 5. in logout.jsp i invalidate the normal HTTPSession and set the connection header to "close" => here some is missing to invalidate the SSLSession 6. in case of success of the logout-ajax request, i'm taken to index.jsp (now start over from point 1. again) only i'm not asked for a cert the second time, which is exactly what i want to achieve... and before you asked : i don't want to switch to tomcat7 for this but need it get done in tomcat-6.0.32 any help really appreciated wkr turnguard ----- Original Message ----- From: "baran topal" <jazziiil...@gmail.com> To: "Tomcat Users List" <users@tomcat.apache.org> Sent: Tuesday, September 6, 2011 10:57:17 PM Subject: Re: SSLSession invalidate Greetings from Stockholm, this is Baran Topal. As i was drinking my Guiness, i find your question interesting :) Here you go: <% HttpSession s = request.getSession(false); if (s != null) s.invalidate(); %> Inform me whether this is working or not :) Regards. On 6 sep 2011, at 22:09, Chema <demablo...@gmail.com> wrote: >> how can access the SSLSession in a jsp or a servlet >> to be able to invalidate it. > > Sorry, but > > is there any difference between to invalidate a HTTP Session and a > SSLSession ? > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- | Jürgen Jakobitsch, | Software Developer | Semantic Web Company GmbH | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 | A - 1070 Wien, Austria | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22 COMPANY INFORMATION | http://www.semantic-web.at/ PERSONAL INFORMATION | web : http://www.turnguard.com | foaf : http://www.turnguard.com/turnguard | skype : jakobitsch-punkt --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org