Hi,
I think calling SSLSession.invalidate() will not suffice to logout the
user. Because calling invalidate() will only prevent the client to open
a new SSL-connection using the the same session, but has no influence on
existing ssl-connections using that session. That means the user is not
logged out until all connections using that session are closed.
See also the java api:
http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/SSLSession.html#invalidate()
Armin
Andreas Persson wrote:
Hi,
I'm trying to implement a feature that I think is missing, but I'm
feeling pretty lost in the Tomcat sources. When SSL client
authentication is used, I would like to be able to logout the user. I
think this means that I need to call invalidate() on the SSLSession
(I'm using the JSSE implementation). But, the SSLSession or SSLSocket
is not available for the servlet code.
Does anyone have some hints on how this could be solved? Should I try
to make the SSLSession available in a request parameter, or should
the invalidate method call in some way be placed inside the server
code?
/Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED] For
additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
