In reviewing the Servlet 3.0 spec I noticed that there is a mention of
tracking app session using SSL. This was also mentioned in the
"Introducing Apache Tomcat 7" talk on InfoQ.
From a security perspective, tying the web app session to a TLS session
would be a nice thing. However, I'd be pretty worried about browsers
doing dumb things and randomly starting new TLS sessions. It's fairly
clear they don't this over a short period of time (or large websites
would be pretty upset) but over the span of a session lifetime of 30
minutes or 4 or 8 hours this might be a problem.
Have you guys played around with this concept much? Do you have any
initial feeling about whether browsers can really support such a setup?
Chad La Joiehttp://itumi.biz
trusted identities, delivered
jetty-dev mailing list