shibboleth-dev - Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs
Subject: Shibboleth Developers
List archive
Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs
Chronological Thread
- From: Chad La Joie <>
- To:
- Subject: Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs
- Date: Wed, 9 Feb 2011 10:53:54 -0500
On Wed, Feb 9, 2011 at 10:48, Kristof Bajnok
<>
wrote:
> On Wednesday 09 February 2011 15:52:40 Chad La Joie wrote:
>> Doing this seems like it would address all the aforementioned issues
>> and obviate the need for a session cookie
>
> How does the TLS session compare to the stateless HTTP? Browser differences
> put
> aside, when should TLS session IDs be regenerated?
There really isn't a comparison to stateless HTTP. They're orthogonal.
As to when the session ID is generated, it's part of the initial
negotiation. One way to think about it is that all HTTP requests
occur within a session.
> For logout, the IdP must maintain the associated SP list for each user, and
> at
> the moment it uses the session for that.
The IdP still maintains a session object, but instead of dropping a
cookie to track the session ID the IdP session object is instead keyed
to the TLS session ID. Nothing within the IdP itself would notice
this change. It's only the IdPSessionFilter class that would change.
--
Chad La Joie
www.itumi.biz
trusted identities, delivered
- [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Chad La Joie, 02/09/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Rod Widdowson, 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Kristof Bajnok, 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Chad La Joie, 02/09/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Chad La Joie, 02/09/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Peter Williams, 02/09/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Chad La Joie, 02/09/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Peter Williams, 02/09/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/09/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Bradley Schwoerer, 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Michael J. Wheeler, 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Eric Norman, 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/09/2011
- Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Bradley Schwoerer, 02/09/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/09/2011
- RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs, Cantor, Scott E., 02/09/2011
Archive powered by MHonArc 2.6.16.