[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[virgo-dev] Tomcat 7 talk [was: Fwd: [jetty-dev] Servlet 3.0 SSL/TLS based Session Tracking]

Useful talk [1] on Tomcat 7 from, ahem, one of my colleagues.


Begin forwarded message:

From: Chad La Joie <lajoie@xxxxxxxxx>
Date: 11 February 2011 15:46:05 GMT
To: "Jetty @ Eclipse developer discussion list" <jetty-dev@xxxxxxxxxxx>
Subject: [jetty-dev] Servlet 3.0 SSL/TLS based Session Tracking
Reply-To: "Jetty @ Eclipse developer discussion list" <jetty-dev@xxxxxxxxxxx>

In reviewing the Servlet 3.0 spec I noticed that there is a mention of
tracking app session using SSL.  This was also mentioned in the
"Introducing Apache Tomcat 7" talk[1] on InfoQ.

From a security perspective, tying the web app session to a TLS session
would be a nice thing.  However, I'd be pretty worried about browsers
doing dumb things and randomly starting new TLS sessions.  It's fairly
clear they don't this over a short period of time (or large websites
would be pretty upset) but over the span of a session lifetime of 30
minutes or 4 or 8 hours this might be a problem.

Have you guys played around with this concept much?  Do you have any
initial feeling about whether browsers can really support such a setup?


[1] http://www.infoq.com/presentations/Apache-Tomcat-7
Chad La Joie
trusted identities, delivered
jetty-dev mailing list