- From: Henry Story <henry.story@bblfish.net>
- Date: Thu, 15 Sep 2011 10:23:41 +0200
- To: Tomcat Users List <users@tomcat.apache.org>, WebID XG <public-xg-webid@w3.org>
You can break TLS sessions once you have the session_id. I tried this in Clerezza (an apache incubator project) to see if I could get something like a logout functionality to work. I even tried to see if breaking a connection and throwing one of the exceptions that TLS defines would force the browser to ask the user for another certificate, but it does not work - or only quite randomly in most browsers. https://github.com/bblfish/clerezza/blob/bblfish/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/ssl/X509TrustManagerWrapperService.scala I think it is a bug that they don't react properly to the defined exceptions being thrown. What does work for Firefox and I think IE (Not tested yet, please let me know) is the following javascript logout: function logout(elem) { if (document.all == null) { if (window.crypto) { try{ window.crypto.logout(); return false; //firefox ok -- no need to follow the link } catch (err) {//Safari, Opera, Chrome -- try with tis session breaking } } else { //also try with session breaking } } else { // MSIE 6+ document.execCommand('ClearAuthenticationCache'); return false; }; return true } function login(elem) { logout(elem) } ----- Then you can just put the following html in your page <a href={"/user/joe/control-panel"}>Joe</a>|<a href="/logout" onclick="return logout();">logout</a> I have added this to the foaf+ssl (WebID protocol) wiki http://www.w3.org/wiki/Foaf%2Bssl/HOWTO#HOWTO_logout Henry On 7 Sep 2011, at 00:29, Adamus, Steven J. wrote: > Don't assume your SSL session or connection hasn't been invalidated just because you aren't asked to choose a certificate from your browser certs when you log in again. In our system (Tomcat 5.5.33), I know that our HTTP session and Single Sign-on session are invalidated upon logout, and we see similar behavior (no need to select certificate) upon re-login because the browser caches the user's certificate choice (and smart card PIN). Is your session ID the same when you go back in? > > If you are using IE and you want to clear the browser cache to select another certificate, go to Tools->Internet Options, select Content tab, and click Clear SSL state. > > -----Original Message----- > From: users-return-227483-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org [mailto:users-return-227483-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org] On Behalf Of Jürgen Jakobitsch > Sent: Tuesday, September 06, 2011 3:12 PM > To: Tomcat Users List > Subject: Re: SSLSession invalidate > > thanks mark, > > if i understand you correct, it is simply NOT possible to invalidate the SSLSession of which i can get the id with request.getAttribute("javax.servlet.request.ssl_session") > (it works with this key in 6.0.32) > > wkr turnguard > > ----- Original Message ----- > From: "Mark Thomas" <markt@apache.org> > To: "Tomcat Users List" <users@tomcat.apache.org> > Sent: Wednesday, September 7, 2011 12:08:29 AM > Subject: Re: SSLSession invalidate > > On 06/09/2011 22:42, Jürgen Jakobitsch wrote: >> apparently there is one, i can get it's id with >> request.getAttribute("javax.servlet.request.ssl_session") > > That is a Tomcat bug it should be javax.servlet.request.ssl_session_id > >> in tomcat7 there's the possibility to use SSLSessionManager to >> invalidate SSLSession, so i'm doing a wild guess, that something similar has to be possible with tomcat6 as well. > > Your wild guess is wrong. That feature is in Tomcat 7 onwards. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > > -- > | Jürgen Jakobitsch, > | Software Developer > | Semantic Web Company GmbH > | Mariahilfer Straße 70 / Neubaugasse 1, Top 8 A - 1070 Wien, Austria > | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22 > > COMPANY INFORMATION > | http://www.semantic-web.at/ > > PERSONAL INFORMATION > | web : http://www.turnguard.com > | foaf : http://www.turnguard.com/turnguard > | skype : jakobitsch-punkt > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > Social Web Architect http://bblfish.net/
Received on Thursday, 15 September 2011 08:24:14 UTC