DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39850>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39850

           Summary: Need a way to invalidate SSL-session from web
                    application
           Product: Tomcat 5
           Version: 5.5.16
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P3
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: [EMAIL PROTECTED]


Currently there is no way to invalidate SSL-sessions that have been created for
a web application that use a SSL/TLS Connector. There is a request parameter
(javax.servlet.request.ssl_session) that contains the SSL session-id but there
is no API that gives access to the underlying SSL-session.

Invalidating the SSL-session is important for web application that use SSL
client-authentication. Once a user is logged in to the application with a client
certificate, he will not be logged out until the SSL-session expires.

Tomcat should expose an interface to obtain a particular SSL-session so that it
can be invalidated when a user logs off. Or, even better, SSL-sessions should be
automatically invalidated when a HTTP-session is invalidated.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to