W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Question about "TLS CCA Session" versus "Web Session"

From: <henry.story@bblfish.net>
Date: Wed, 7 May 2014 11:48:14 +0200
Cc: "public-webid@w3.org" <public-webid@w3.org>
Message-Id: <4E158EEE-7EF8-448A-936E-ADC0EE20F246@bblfish.net>
To: Anders Rundgren <anders.rundgren.net@gmail.com>

On 7 May 2014, at 08:42, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:

> I don't claim knowing everything so please bear with me when I ask a simple question :-)
> 
> Using JBoss and Tomcat (java-based) servers an HTTPS Client Certificate Authenticated
> session created from a browser *never terminates* regardless of session time-out settings
> because the TLS session has no link into the Java Servlet web session framework.
> 
> Due to this neither manual logout or automatic logout work in such setups.
> 
> Q1: how do other web-servers enforce logout from the server-side?
> Q2: if other web-servers actually can do this,  does this require TCP terminate?
> Q3: if other web-servers actually can do this,  logout works formost/all browsers without specific measures?
> 

As far as I can tell a server cannot force logout of the client, since the browsers tend to resend the same certificate
to the server. You can only do this with Firefox which has a Javascript logout call currently. In my view login/logout
has to be handled by the client in the chrome.

This has been identitified as a key improvement browser manufacturers need to make for privacy reasons.

Henry


> Anders
> 

Social Web Architect
http://bblfish.net/
Received on Wednesday, 7 May 2014 09:48:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC