[3500] in WWW Security List Archive
SSL sessions across stateless http?
daemon@ATHENA.MIT.EDU (Kennedy, John)
Fri Nov 8 20:42:40 1996
From: "Kennedy, John" <jdkennedy@cos.spaceapps1.spaceapps.com>
To: "'www-security@nsmx.rutgers.edu'" <www-security@ns2.rutgers.edu>
Date: Fri, 08 Nov 96 16:15:00 PST
Errors-To: owner-www-security@ns2.rutgers.edu
Greetings:
Some questions about SSL:
Given that http is stateless, by what mechanism does SSL maintain a
'continuous' session across the many tcp/ip connections that can occur at
a secured site? (I assume it's not a cookie).
If a client drops the 'connection' during an SSL session, how does the
server determine when to end the session?
Can the mechanism used by SSL be used by another application? For
example, let's say we are setting up a server to play a friendly game of
blackjack with some remote user over the web, but in a secure
environment. Using his browser, the player connects to the site, goes to
a secure page (and perhaps logs in -- maybe its a competition to see who
can win the most points :-), and starts to play. Could the 'game engine'
use the same session info to track the player during the session that SSL
uses?
Thanks!
--jd--
