Closed glassfishrobot closed 7 years ago
glassfishrobot
commented
6 years ago glassfishrobot
commented
8 years ago @glassfishrobot Commented Reported by MyHat95111
glassfishrobot
commented
8 years ago @glassfishrobot Commented Issue-Links: clones SERVLET_SPEC-107 is duplicated by SERVLET_SPEC-107
glassfishrobot
commented
7 years ago @glassfishrobot Commented This issue was imported from java.net JIRA SERVLET_SPEC-151
glassfishrobot
commented
7 years ago @glassfishrobot Commented Marked as duplicate on Wednesday, October 12th 2016, 2:18:38 pm
Neustradamus
commented
7 months ago
RM> In addition to the attributes currently required to be supported RM> when a request has been received over a secure protocol, consider RM> adding a requirement that that container make the value of RM> tls_unique availbale via the required to be supported (SSL) RM> attributes.
RM> tls_unique is defined in http://tools.ietf.org/html/rfc5929
RM> Access to this value will facilitate the practice of creating RM> cookies and other session identifying tokens that are bound to a RM> specific TLS connection (iow, that cannot be stolen and reused RM> outside of the TLS connection under which they were established and RM> returned).
RM> The attribute could be called: javax.servlet.request.tls_unique
RM> Note that support for this attribute above JSSE will require that RM> the value of verifyData as conveyed in the TLS finished handshake RM> message be available from the SSLSession object.