W3C home > Mailing lists > Public > public-xg-webid@w3.org > September 2011

Re: SSLSession invalidate

From: Peter <home_pw@msn.com>
Date: Thu, 15 Sep 2011 14:30:22 -0700
Message-ID: <BLU0-SMTP43AE00EF378F5A6D1865D92070@phx.gbl>
CC: Tomcat Users List <users@tomcat.apache.org>, WebID XG <public-xg-webid@w3.org>
To: Henry Story <henry.story@bblfish.net>
A connection is streaming a video, when you "logout" of it's session. 

What happens?

The browser caches img files retrived from on the same server path as the application to which then one sends an ssl "logout signal". A browser plugin references the https uri of the image.

Does the cache release the image, collected over a session that is now closed?

Sent from my iPhone

On Sep 15, 2011, at 1:23 AM, Henry Story <henry.story@bblfish.net> wrote:

> You can break TLS sessions once you have the session_id. I tried this in Clerezza (an apache incubator project) to see if I could get something like a logout functionality to work. I even tried to see if breaking a connection and throwing one of the exceptions that TLS defines would force the browser to ask the user for another certificate, but it does not work - or only quite randomly in most browsers.
> 
> https://github.com/bblfish/clerezza/blob/bblfish/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/ssl/X509TrustManagerWrapperService.scala
> 
> I think it is a bug that they don't react properly to the defined exceptions being thrown. 
> 
> What does work for Firefox and I think IE (Not tested yet, please let me know) is the following javascript logout:
> 
> function logout(elem) {
>   if (document.all == null) {
>      if (window.crypto) {
>          try{
>              window.crypto.logout();
>              return false; //firefox ok -- no need to follow the link
>          } catch (err) {//Safari, Opera, Chrome -- try with tis session breaking
>          }
>      } else { //also try with session breaking
>      }
>   } else { // MSIE 6+
>      document.execCommand('ClearAuthenticationCache');
>      return false;
>   };
>   return true
> }
> 
> function login(elem)  { logout(elem) }
> 
> -----
> 
> Then you can just put the following html in your page
> 
> <a href={"/user/joe/control-panel"}>Joe</a>|<a href="/logout" onclick="return logout();">logout</a>
> 
> I have added this to the foaf+ssl (WebID protocol) wiki
> http://www.w3.org/wiki/Foaf%2Bssl/HOWTO#HOWTO_logout
> 
> Henry
> 
> On 7 Sep 2011, at 00:29, Adamus, Steven J. wrote:
> 
>> Don't assume your SSL session or connection hasn't been invalidated just because you aren't asked to choose a certificate from your browser certs when you log in again.  In our system (Tomcat 5.5.33), I know that our HTTP session and Single Sign-on session are invalidated upon logout, and we see similar behavior (no need to select certificate) upon re-login because the browser caches the user's certificate choice (and smart card PIN).  Is your session ID the same when you go back in?  
>> 
>> If you are using IE and you want to clear the browser cache to select another certificate, go to Tools->Internet Options, select Content tab, and click Clear SSL state. 
>> 
>> -----Original Message-----
>> From: users-return-227483-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org [mailto:users-return-227483-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org] On Behalf Of Jürgen Jakobitsch
>> Sent: Tuesday, September 06, 2011 3:12 PM
>> To: Tomcat Users List
>> Subject: Re: SSLSession invalidate
>> 
>> thanks mark,
>> 
>> if i understand you correct, it is simply NOT possible to invalidate the SSLSession of which i can get the id with request.getAttribute("javax.servlet.request.ssl_session")
>> (it works with this key in 6.0.32)
>> 
>> wkr turnguard
>> 
>> ----- Original Message -----
>> From: "Mark Thomas" <markt@apache.org>
>> To: "Tomcat Users List" <users@tomcat.apache.org>
>> Sent: Wednesday, September 7, 2011 12:08:29 AM
>> Subject: Re: SSLSession invalidate
>> 
>> On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
>>> apparently there is one, i can get it's id with 
>>> request.getAttribute("javax.servlet.request.ssl_session")
>> 
>> That is a Tomcat bug it should be javax.servlet.request.ssl_session_id
>> 
>>> in tomcat7 there's the possibility to use SSLSessionManager to 
>>> invalidate SSLSession, so i'm doing a wild guess, that something similar has to be possible with tomcat6 as well.
>> 
>> Your wild guess is wrong. That feature is in Tomcat 7 onwards.
>> 
>> Mark
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
>> -- 
>> | Jürgen Jakobitsch,
>> | Software Developer
>> | Semantic Web Company GmbH
>> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria 
>> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>> 
>> COMPANY INFORMATION
>> | http://www.semantic-web.at/
>> 
>> PERSONAL INFORMATION
>> | web   : http://www.turnguard.com
>> | foaf  : http://www.turnguard.com/turnguard
>> | skype : jakobitsch-punkt
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
> 
> Social Web Architect
> http://bblfish.net/
> 
> 
> 
Received on Thursday, 15 September 2011 21:31:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 15 September 2011 21:31:58 GMT