On 15 Sep 2011, at 23:30, Peter wrote: > A connection is streaming a video, when you "logout" of it's session. > > What happens?
I have not tried it. I'll put up some code in Java so you can try it out soon. > > The browser caches img files retrived from on the same server path as the > application to which then one sends an ssl "logout signal". A browser plugin > references the https uri of the image. > > Does the cache release the image, collected over a session that is now closed? > > Sent from my iPhone > > On Sep 15, 2011, at 1:23 AM, Henry Story <henry.st...@bblfish.net> wrote: > >> You can break TLS sessions once you have the session_id. I tried this in >> Clerezza (an apache incubator project) to see if I could get something like >> a logout functionality to work. I even tried to see if breaking a connection >> and throwing one of the exceptions that TLS defines would force the browser >> to ask the user for another certificate, but it does not work - or only >> quite randomly in most browsers. >> >> https://github.com/bblfish/clerezza/blob/bblfish/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/ssl/X509TrustManagerWrapperService.scala >> >> I think it is a bug that they don't react properly to the defined exceptions >> being thrown. >> >> What does work for Firefox and I think IE (Not tested yet, please let me >> know) is the following javascript logout: >> >> function logout(elem) { >> if (document.all == null) { >> if (window.crypto) { >> try{ >> window.crypto.logout(); >> return false; //firefox ok -- no need to follow the link >> } catch (err) {//Safari, Opera, Chrome -- try with tis session >> breaking >> } >> } else { //also try with session breaking >> } >> } else { // MSIE 6+ >> document.execCommand('ClearAuthenticationCache'); >> return false; >> }; >> return true >> } >> >> function login(elem) { logout(elem) } >> >> ----- >> >> Then you can just put the following html in your page >> >> <a href={"/user/joe/control-panel"}>Joe</a>|<a href="/logout" >> onclick="return logout();">logout</a> >> >> I have added this to the foaf+ssl (WebID protocol) wiki >> http://www.w3.org/wiki/Foaf%2Bssl/HOWTO#HOWTO_logout >> >> Henry >> >> On 7 Sep 2011, at 00:29, Adamus, Steven J. wrote: >> >>> Don't assume your SSL session or connection hasn't been invalidated just >>> because you aren't asked to choose a certificate from your browser certs >>> when you log in again. In our system (Tomcat 5.5.33), I know that our HTTP >>> session and Single Sign-on session are invalidated upon logout, and we see >>> similar behavior (no need to select certificate) upon re-login because the >>> browser caches the user's certificate choice (and smart card PIN). Is your >>> session ID the same when you go back in? >>> >>> If you are using IE and you want to clear the browser cache to select >>> another certificate, go to Tools->Internet Options, select Content tab, and >>> click Clear SSL state. >>> >>> -----Original Message----- >>> From: users-return-227483-STEVEN.J.ADAMUS=saic....@tomcat.apache.org >>> [mailto:users-return-227483-STEVEN.J.ADAMUS=saic....@tomcat.apache.org] On >>> Behalf Of Jürgen Jakobitsch >>> Sent: Tuesday, September 06, 2011 3:12 PM >>> To: Tomcat Users List >>> Subject: Re: SSLSession invalidate >>> >>> thanks mark, >>> >>> if i understand you correct, it is simply NOT possible to invalidate the >>> SSLSession of which i can get the id with >>> request.getAttribute("javax.servlet.request.ssl_session") >>> (it works with this key in 6.0.32) >>> >>> wkr turnguard >>> >>> ----- Original Message ----- >>> From: "Mark Thomas" <ma...@apache.org> >>> To: "Tomcat Users List" <users@tomcat.apache.org> >>> Sent: Wednesday, September 7, 2011 12:08:29 AM >>> Subject: Re: SSLSession invalidate >>> >>> On 06/09/2011 22:42, Jürgen Jakobitsch wrote: >>>> apparently there is one, i can get it's id with >>>> request.getAttribute("javax.servlet.request.ssl_session") >>> >>> That is a Tomcat bug it should be javax.servlet.request.ssl_session_id >>> >>>> in tomcat7 there's the possibility to use SSLSessionManager to >>>> invalidate SSLSession, so i'm doing a wild guess, that something similar >>>> has to be possible with tomcat6 as well. >>> >>> Your wild guess is wrong. That feature is in Tomcat 7 onwards. >>> >>> Mark >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> -- >>> | Jürgen Jakobitsch, >>> | Software Developer >>> | Semantic Web Company GmbH >>> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria >>> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22 >>> >>> COMPANY INFORMATION >>> | http://www.semantic-web.at/ >>> >>> PERSONAL INFORMATION >>> | web : http://www.turnguard.com >>> | foaf : http://www.turnguard.com/turnguard >>> | skype : jakobitsch-punkt >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> Social Web Architect >> http://bblfish.net/ >> >> >> Social Web Architect http://bblfish.net/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
