- From: <henry.story@bblfish.net>
- Date: Wed, 7 May 2014 11:48:14 +0200
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- Cc: "public-webid@w3.org" <public-webid@w3.org>
On 7 May 2014, at 08:42, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > I don't claim knowing everything so please bear with me when I ask a simple question :-) > > Using JBoss and Tomcat (java-based) servers an HTTPS Client Certificate Authenticated > session created from a browser *never terminates* regardless of session time-out settings > because the TLS session has no link into the Java Servlet web session framework. > > Due to this neither manual logout or automatic logout work in such setups. > > Q1: how do other web-servers enforce logout from the server-side? > Q2: if other web-servers actually can do this, does this require TCP terminate? > Q3: if other web-servers actually can do this, logout works formost/all browsers without specific measures? > As far as I can tell a server cannot force logout of the client, since the browsers tend to resend the same certificate to the server. You can only do this with Firefox which has a Javascript logout call currently. In my view login/logout has to be handled by the client in the chrome. This has been identitified as a key improvement browser manufacturers need to make for privacy reasons. Henry > Anders > Social Web Architect http://bblfish.net/
Received on Wednesday, 7 May 2014 09:48:49 UTC