Hi! >> My problem is, that the application session (set by cookie or url >> parameter) is not associated with the SSL session. And I hope, there is >> an easy way to that. > > I dont understand why you want to connect to two (under my definition of > each explained above).
Why I want that? If you've an application with session. So you can get the application information by spying (XSS, browser plugin etc.) or copying (URL with session ID). Because of that the idea was to join SSL session id and application session id, you can avoid that. > It is not normal to connect the SSL session in > this way, as the HTTP protocol may (or may not) use the same SSL session > details during the next request, the client may (or may not) support > persistent connections. The SSL session cache is a performance > optimization, not something an application gets to see or use directly. I'm not sure if I completely understand you: The SSL session (ID) can change between two requests? > It more normal to issue client certificates to your userbase and > validate those certificates with a per-website certificate authority. In > which case the certificate will have an "Issue Number" and it is this > issue number you can use as an authentication token (providing the > certificate has passed validity testing, I'm sure both apache and tomcat > can help with your application specific validity rules). Okay, yes. That is a possibility, the application will offers, but it's not forced to configure that way. Thanks a lot! Michael -- Michael Decker [EMAIL PROTECTED] TESIS SYSware GmbH http://www.tesis.de Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 747377-0 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
