DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=39850>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39850 Summary: Need a way to invalidate SSL-session from web application Product: Tomcat 5 Version: 5.5.16 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P3 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] Currently there is no way to invalidate SSL-sessions that have been created for a web application that use a SSL/TLS Connector. There is a request parameter (javax.servlet.request.ssl_session) that contains the SSL session-id but there is no API that gives access to the underlying SSL-session. Invalidating the SSL-session is important for web application that use SSL client-authentication. Once a user is logged in to the application with a client certificate, he will not be logged out until the SSL-session expires. Tomcat should expose an interface to obtain a particular SSL-session so that it can be invalidated when a user logs off. Or, even better, SSL-sessions should be automatically invalidated when a HTTP-session is invalidated. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
