[3648] in WWW Security List Archive
Re: SSL sessions across stateless http?
daemon@ATHENA.MIT.EDU (Patrick C. Richard)
Fri Nov 29 23:01:58 1996
Date: Fri, 29 Nov 1996 18:13:22 -0800 (PST)
From: "Patrick C. Richard" <patr@xcert.com>
To: Steen Larsen <steen.larsen@ed.nce.sita.int>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <329EE482.7962@ed.nce.sita.int>
Errors-To: owner-www-security@ns2.rutgers.edu
On Fri, 29 Nov 1996, Steen Larsen wrote:
> Does anybody know an SSL WWW server that reveals the SSL session ID
> to CGI scripts?
That's kind of a bad thing because it can be re-negotiated at any time.
If you are using SSL already, why not use the client certs to maintain
state. That's what we recommend, anyhow.
>
> Best regards
>
> Steen
>
> --
>
> Steen Koefoed Larsen <steen.larsen@ed.nce.sita.int>
>
> Disclaimer: This letter may contain pure garbage that differs
> from the opinion of myself and the companies I work for.
>
> SITA -- Societe Internationale de Telecommunications Aeronautiqes
> R & D Nice, Heraklion - 1041 Route des Dolines, F-06560 Valbonne
> Phone: +33 4 92.96.63.67, Fax: +33 4 92.96.64.92, SITATEX: NCEEMXS
>
> E-mail@home: steenkl@dircon.co.uk, GSM Mobile: +45 40512486
>
>
> *** Syntax? Why not - they tax everything else! ***
>
----
Pat Richard
patr@x509.com
