W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Question about "TLS CCA Session" versus "Web Session"

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 07 May 2014 08:42:03 +0200
Message-ID: <5369D5BB.90800@gmail.com>
To: "public-webid@w3.org" <public-webid@w3.org>
I don't claim knowing everything so please bear with me when I ask a simple question :-)

Using JBoss and Tomcat (java-based) servers an HTTPS Client Certificate Authenticated
session created from a browser *never terminates* regardless of session time-out settings
because the TLS session has no link into the Java Servlet web session framework.

Due to this neither manual logout or automatic logout work in such setups.

Q1: how do other web-servers enforce logout from the server-side?
Q2: if other web-servers actually can do this,  does this require TCP terminate?
Q3: if other web-servers actually can do this,  logout works for most/all browsers without specific measures?

Received on Wednesday, 7 May 2014 06:42:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC