[3631] in WWW Security List Archive
Re: SSL sessions across stateless http?
daemon@ATHENA.MIT.EDU (Roberto Galoppini)
Tue Nov 26 02:52:05 1996
Date: Mon, 25 Nov 1996 16:50:20 +0100
From: Roberto Galoppini <rgaloppini@tim.it>
Reply-To: rgaloppini@tim.it
To: Jeff Lewis <lewis@netserver.Stanford.EDU>
CC: "Kennedy, John" <jdkennedy@cos.spaceapps1.spaceapps.com>,
www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Some of you wrote:
>
> > Given that http is stateless, by what mechanism does SSL maintain a
> > 'continuous' session across the many tcp/ip connections that can occur at
> > a secured site? (I assume it's not a cookie).
and likely Jeff Lewis answered:
>
> The mechanism is a session id that the two parties figure out while
> exchanging certificicates that they then use to encrypt messages to
> each other.
Did any of you sort out any detail on that session ID ? Is it the
session key by any chance ? or what ?
BTW I'm working on 'logical' session too and, so far, the better idea I
got is create a random number at session setup, then pass it over from
page to page as hidden-tag and, last but not least, use a time-stamp to
allow
end-user to use that random number for, let's say one hour.
Use SSL above/under/besides is recomendeted.
Thanks in advance,
Roberto Galoppini
rgaloppini@tim.it
