Skip to Content.
Sympa Menu

shibboleth-dev - RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs

Subject: Shibboleth Developers

List archive

RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs


Chronological Thread 
  • From: "Cantor, Scott E." <>
  • To: "" <>
  • Subject: RE: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs
  • Date: Wed, 9 Feb 2011 16:05:31 +0000
  • Accept-language: en-US

> As to when the session ID is generated, it's part of the initial
> negotiation. One way to think about it is that all HTTP requests
> occur within a session.

As you suggested, however, there's a pretty good chance they'll occur in
multiple sessions, not just one. I very much doubt you'll have any solid
control over when they change.

I think it would make logout pretty much impossible to rely on (ok, more
impossible), and would lead to a lot of client-specific weirdness.

In other words, I suspect most people would end up having to turn it off in
favor of cookies, but we probably wouldn't know without testing it.

Of course, if you use client TLS, that's a perfect solution, but not
generally relevant.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page