Problem when using Chrome on Linux and removing id-card from the reader

[mrtnkbnn]

I have setup Jetty web server which requires client certificate and I use it to authenticate my users with id-card. Everything works fine on Windows and OSX machines with Firefox and Chrome browsers. For Linux everything is fine with Firefox but I noticed a weird issue with Chrome:

First time when I try to authenticate then everything is fine. But when I "logout" and remove my id-card from the reader, then next time I can authenticate without any id-card being in the reader. Problem occurs only when I do not close browser between first and second attempt. Looks like my server somehow still receives last user's id-card certificate.

Any ideas?

[martinpaljak]

1) session handling. Make sure you follow OWASP guidelines. 2) SSL Session cache. If possible (I think Jetty provides methods for this) invalidate the SSL session upon logout. Also, bind the SSL session to your application level session if possible (SSL session ID as input for the HTTP session, for example).

To clear the cache from client side, close the browser to flush the client side SSL session cache OR renegotiate on your login URL (this requires a fresh signature from the card).

Maybe this helps. Right now authentication and chrome-token-signing have nothing in common, so can't fix anything here.