Thank you for your answer! I have done some tests now, and you're right, it
wasn't enough to just do SSLSession.invalidate(). But if I also close the
socket, by doing
response.setHeader("Connection", "close")
it seemed to work. But when I read your message I realize that there might be
other sockets open that also need to be closed.
/Andreas
-----Ursprungligt meddelande-----
Från: Armin Häberling [mailto:[EMAIL PROTECTED]
Skickat: den 5 januari 2006 16:52
Till: Tomcat Developers List
Ämne: Re: Invalidate the SSLSession?
Hi,
I think calling SSLSession.invalidate() will not suffice to logout the
user. Because calling invalidate() will only prevent the client to open
a new SSL-connection using the the same session, but has no influence on
existing ssl-connections using that session. That means the user is not
logged out until all connections using that session are closed.
See also the java api:
http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/SSLSession.html#invalidate()
Armin
Andreas Persson wrote:
> Hi,
>
> I'm trying to implement a feature that I think is missing, but I'm
> feeling pretty lost in the Tomcat sources. When SSL client
> authentication is used, I would like to be able to logout the user. I
> think this means that I need to call invalidate() on the SSLSession
> (I'm using the JSSE implementation). But, the SSLSession or SSLSocket
> is not available for the servlet code.
>
> Does anyone have some hints on how this could be solved? Should I try
> to make the SSLSession available in a request parameter, or should
> the invalidate method call in some way be placed inside the server
> code?
>
> /Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
