Joel Roth-Nater wrote: > > My idea is to let Apache handle SSL traffic, but pass the SSL_SESSION_ID > through mod_webapp to Tomcat. Tomcat could then use it to track its > sessions without cookies or URL-rewriting. Before I start writing the > code myself, I wonder if anyone has tried to do it. > > I've been all over the list-archives, source code and doc to no avail, > yet the J2EE spec mandates "SSL" as one of the methods for session > tracking. Am I missing something?
Don't know about TC 4.x, but 3.3 from CVS has support for checking Tomcat session ID's against SSL session ID's to prevent session hijacking. Not sure if that helps you in any way... Bojan -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
