Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: [Shib-Dev] Viability of SSL/TLS Session IDs usage for application Session IDs
  • Date: Wed, 9 Feb 2011 11:13:39 -0500
On Wed, Feb 9, 2011 at 11:05, Cantor, Scott E.
<>
wrote:
>> As to when the session ID is generated, it's part of the initial
>> negotiation.  One way to think about it is that all HTTP requests
>> occur within a session.
>
> As you suggested, however, there's a pretty good chance they'll occur in
> multiple sessions, not just one. I very much doubt you'll have any solid
> control over when they change.

Well, any given request only occurs within one TLS session. But yeah,
if that session is changing between requests you run in to problems
and that's what I'm concerned about.

> I think it would make logout pretty much impossible to rely on (ok, more
> impossible), and would lead to a lot of client-specific weirdness.

As opposed to the client-specific weirdness already inherit in the
proposed solutions ;)

> In other words, I suspect most people would end up having to turn it off in
> favor of cookies, but we probably wouldn't know without testing it.

Yeah, I think we'll just have to test it. I know how to control the
behavior on the server side (assuming the container is really the one
handling the SSL connection). It's the browsers that are the big
wild card right now.


--
Chad La Joie
www.itumi.biz
trusted identities, delivered

Archive powered by MHonArc 2.6.16.

Top of Page