Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-dev] Servlet 3.0 SSL/TLS based Session Tracking 
In reviewing the Servlet 3.0 spec I noticed that there is a mention of
tracking app session using SSL.  This was also mentioned in the
"Introducing Apache Tomcat 7" talk[1] on InfoQ.

From a security perspective, tying the web app session to a TLS session
would be a nice thing.  However, I'd be pretty worried about browsers
doing dumb things and randomly starting new TLS sessions.  It's fairly
clear they don't this over a short period of time (or large websites
would be pretty upset) but over the span of a session lifetime of 30
minutes or 4 or 8 hours this might be a problem.

Have you guys played around with this concept much?  Do you have any
initial feeling about whether browsers can really support such a setup?

Thanks.

[1] http://www.infoq.com/presentations/Apache-Tomcat-7
-- 
Chad La Joie
http://itumi.biz
trusted identities, delivered

Back to the top