Re: SSLSession invalidate from Henry Story on 2011-09-15 (public-xg-webid@w3.org from September 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 15 Sep 2011 10:23:41 +0200
To: Tomcat Users List <users@tomcat.apache.org>, WebID XG <public-xg-webid@w3.org>
Message-Id: <EAC236A7-DD45-4436-A024-A8D5708D8D83@bblfish.net>
You can break TLS sessions once you have the session_id. I tried this in Clerezza (an apache incubator project) to see if I could get something like a logout functionality to work. I even tried to see if breaking a connection and throwing one of the exceptions that TLS defines would force the browser to ask the user for another certificate, but it does not work - or only quite randomly in most browsers.

https://github.com/bblfish/clerezza/blob/bblfish/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/ssl/X509TrustManagerWrapperService.scala

I think it is a bug that they don't react properly to the defined exceptions being thrown. 

What does work for Firefox and I think IE (Not tested yet, please let me know) is the following javascript logout:

function logout(elem) {
   if (document.all == null) {
      if (window.crypto) {
          try{
              window.crypto.logout();
              return false; //firefox ok -- no need to follow the link
          } catch (err) {//Safari, Opera, Chrome -- try with tis session breaking
          }
      } else { //also try with session breaking
      }
   } else { // MSIE 6+
      document.execCommand('ClearAuthenticationCache');
      return false;
   };
   return true
}

function login(elem)  { logout(elem) }

-----

Then you can just put the following html in your page

<a href={"/user/joe/control-panel"}>Joe</a>|<a href="/logout" onclick="return logout();">logout</a>

I have added this to the foaf+ssl (WebID protocol) wiki
http://www.w3.org/wiki/Foaf%2Bssl/HOWTO#HOWTO_logout

Henry

On 7 Sep 2011, at 00:29, Adamus, Steven J. wrote:

> Don't assume your SSL session or connection hasn't been invalidated just because you aren't asked to choose a certificate from your browser certs when you log in again.  In our system (Tomcat 5.5.33), I know that our HTTP session and Single Sign-on session are invalidated upon logout, and we see similar behavior (no need to select certificate) upon re-login because the browser caches the user's certificate choice (and smart card PIN).  Is your session ID the same when you go back in?  
> 
> If you are using IE and you want to clear the browser cache to select another certificate, go to Tools->Internet Options, select Content tab, and click Clear SSL state. 
> 
> -----Original Message-----
> From: users-return-227483-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org [mailto:users-return-227483-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org] On Behalf Of Jürgen Jakobitsch
> Sent: Tuesday, September 06, 2011 3:12 PM
> To: Tomcat Users List
> Subject: Re: SSLSession invalidate
> 
> thanks mark,
> 
> if i understand you correct, it is simply NOT possible to invalidate the SSLSession of which i can get the id with request.getAttribute("javax.servlet.request.ssl_session")
> (it works with this key in 6.0.32)
> 
> wkr turnguard
> 
> ----- Original Message -----
> From: "Mark Thomas" <markt@apache.org>
> To: "Tomcat Users List" <users@tomcat.apache.org>
> Sent: Wednesday, September 7, 2011 12:08:29 AM
> Subject: Re: SSLSession invalidate
> 
> On 06/09/2011 22:42, Jürgen Jakobitsch wrote:
>> apparently there is one, i can get it's id with 
>> request.getAttribute("javax.servlet.request.ssl_session")
> 
> That is a Tomcat bug it should be javax.servlet.request.ssl_session_id
> 
>> in tomcat7 there's the possibility to use SSLSessionManager to 
>> invalidate SSLSession, so i'm doing a wild guess, that something similar has to be possible with tomcat6 as well.
> 
> Your wild guess is wrong. That feature is in Tomcat 7 onwards.
> 
> Mark
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> -- 
> | Jürgen Jakobitsch,
> | Software Developer
> | Semantic Web Company GmbH
> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria 
> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
> 
> COMPANY INFORMATION
> | http://www.semantic-web.at/
> 
> PERSONAL INFORMATION
> | web   : http://www.turnguard.com
> | foaf  : http://www.turnguard.com/turnguard
> | skype : jakobitsch-punkt
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

Social Web Architect
http://bblfish.net/
Received on Thursday, 15 September 2011 08:24:14 UTC