Hi Chuck, Thank you for your quick response.
May I know how to get the protected HttpSession object in Spring controller/servlet? I used HttpRequest.getSession.invalidate() but can not force re-authentication. I tried maxKeepAliveRequests="1" attribute in HTTPS connector too, but can not force re-authentication. May I know how you do it? In this thread (http://old.nabble.com/Force-getting-Client-Cert-from-browser-td20155194.html), Bill Barker-2 mentioned Tomcat can not force re-authentication. Is that correct? Thank you. Regards, SamKong Goo On 17 March 2010 11:47, Caldarale, Charles R <chuck.caldar...@unisys.com> wrote: >> From: Goo Sam Kong [mailto:skgo...@gmail.com] >> Subject: Re: How to set SSL session timeout in Tomcat 5.5.16 >> >> I attempted that, that is HTTP Session not SSL session. > > Depending on how your webapp is configured, you may have two HttpSession > objects - one protected, and one not. Make sure you're invalidating the > protected session from servlet code associated with a protected resource, not > from an unprotected reference. > > You could also turn off keep-alives in the HTTPS <Connector> (set > maxKeepAliveRequests="1"). Renegotiating the SSL handshake on each request > might be a noticeable performance hit, however. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
