W3C home > Mailing lists > Public > public-xg-webid@w3.org > September 2011

Re: SSLSession invalidate

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 16 Sep 2011 01:47:07 +0200
Cc: Tomcat Users List <users@tomcat.apache.org>, WebID XG <public-xg-webid@w3.org>
Message-Id: <4DC682C3-6757-4FED-B219-AE5E6B50F45C@bblfish.net>
To: Peter <home_pw@msn.com>

On 15 Sep 2011, at 23:30, Peter wrote:

> A connection is streaming a video, when you "logout" of it's session. 
> 
> What happens?

I have not tried it. I'll put up some code in Java so you can try it out soon.

> 
> The browser caches img files retrived from on the same server path as the application to which then one sends an ssl "logout signal". A browser plugin references the https uri of the image.
> 
> Does the cache release the image, collected over a session that is now closed?
> 
> Sent from my iPhone
> 
> On Sep 15, 2011, at 1:23 AM, Henry Story <henry.story@bblfish.net> wrote:
> 
>> You can break TLS sessions once you have the session_id. I tried this in Clerezza (an apache incubator project) to see if I could get something like a logout functionality to work. I even tried to see if breaking a connection and throwing one of the exceptions that TLS defines would force the browser to ask the user for another certificate, but it does not work - or only quite randomly in most browsers.
>> 
>> https://github.com/bblfish/clerezza/blob/bblfish/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/ssl/X509TrustManagerWrapperService.scala
>> 
>> I think it is a bug that they don't react properly to the defined exceptions being thrown. 
>> 
>> What does work for Firefox and I think IE (Not tested yet, please let me know) is the following javascript logout:
>> 
>> function logout(elem) {
>>  if (document.all == null) {
>>     if (window.crypto) {
>>         try{
>>             window.crypto.logout();
>>             return false; //firefox ok -- no need to follow the link
>>         } catch (err) {//Safari, Opera, Chrome -- try with tis session breaking
>>         }
>>     } else { //also try with session breaking
>>     }
>>  } else { // MSIE 6+
>>     document.execCommand('ClearAuthenticationCache');
>>     return false;
>>  };
>>  return true
>> }
>> 
>> function login(elem)  { logout(elem) }
>> 
>> -----
>> 
>> Then you can just put the following html in your page
>> 
>> <a href={"/user/joe/control-panel"}>Joe</a>|<a href="/logout" onclick="return logout();">logout</a>
>> 
>> I have added this to the foaf+ssl (WebID protocol) wiki
>> http://www.w3.org/wiki/Foaf%2Bssl/HOWTO#HOWTO_logout
>> 
>> Henry
>> 
>> On 7 Sep 2011, at 00:29, Adamus, Steven J. wrote:
>> 
>>> Don't assume your SSL session or connection hasn't been invalidated just because you aren't asked to choose a certificate from your browser certs when you log in again.  In our system (Tomcat 5.5.33), I know that our HTTP session and Single Sign-on session are invalidated upon logout, and we see similar behavior (no need to select certificate) upon re-login because the browser caches the user's certificate choice (and smart card PIN).  Is your session ID the same when you go back in?  
>>> 
>>> If you are using IE and you want to clear the browser cache to select another certificate, go to Tools->Internet Options, select Content tab, and click Clear SSL state. 
>>> 
>>> -----Original Message-----
>>> From: users-return-227483-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org [mailto:users-return-227483-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org] On Behalf Of Jürgen Jakobitsch
>>> Sent: Tuesday, September 06, 2011 3:12 PM
>>> To: Tomcat Users List
>>> Subject: Re: SSLSession invalidate
>>> 
>>> thanks mark,
>>> 
>>> if i understand you correct, it is simply NOT possible to invalidate the SSLSession of which i can get the id with request.getAttribute("javax.servlet.request.ssl_session")
>>> (it works with this key in 6.0.32)
>>> 
>>> wkr turnguard
>>> 
>>> ----- Original Message -----
>>> From: "Mark Thomas" <markt@apache.org>
>>> To: "Tomcat Users List" <users@tomcat.apache.org>
>>> Sent: Wednesday, September 7, 2011 12:08:29 AM
>>> Subject: Re: SSLSession invalidate
>>> 
>>> On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
>>>> apparently there is one, i can get it's id with 
>>>> request.getAttribute("javax.servlet.request.ssl_session")
>>> 
>>> That is a Tomcat bug it should be javax.servlet.request.ssl_session_id
>>> 
>>>> in tomcat7 there's the possibility to use SSLSessionManager to 
>>>> invalidate SSLSession, so i'm doing a wild guess, that something similar has to be possible with tomcat6 as well.
>>> 
>>> Your wild guess is wrong. That feature is in Tomcat 7 onwards.
>>> 
>>> Mark
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>> 
>>> 
>>> -- 
>>> | Jürgen Jakobitsch,
>>> | Software Developer
>>> | Semantic Web Company GmbH
>>> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria 
>>> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>>> 
>>> COMPANY INFORMATION
>>> | http://www.semantic-web.at/
>>> 
>>> PERSONAL INFORMATION
>>> | web   : http://www.turnguard.com
>>> | foaf  : http://www.turnguard.com/turnguard
>>> | skype : jakobitsch-punkt
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>> 
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>> 
>> 
>> Social Web Architect
>> http://bblfish.net/
>> 
>> 
>> 

Social Web Architect
http://bblfish.net/
Received on Thursday, 15 September 2011 23:47:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 15 September 2011 23:47:39 GMT