This is a discussion on Re: configure SSL session timeout - modssl ; On Thu, Oct 06, 2005 at 09:51:47AM -0400, Cliff Woolley wrote: > > I know the SSL session timeout param can be configured by the directive > > "SSLSessionCacheTimeout". Is there any setting or API for the browser or > ...
On Thu, Oct 06, 2005 at 09:51:47AM -0400, Cliff Woolley wrote:
> > I know the SSL session timeout param can be configured by the directive
> > "SSLSessionCacheTimeout". Is there any setting or API for the browser or
> > client application to configure the SSL session timeout param and override
> > the server's one such that each application can configure their timeout
> > period of the SSL connection according to their requirement?
> Nope... not that I know of.
Just to clear this up - both the client and the server choose wether
they want to reuse sessions. SSLSessionCacheTimeout sets how long the
server is willing to reuse a session, but a client may choose not to
reuse the session after a shorter time. When a session expires on the
server, a client may try to reuse the session, but the server won't
One example of a client using short session times is IE which would
expire SSL2 sessions really fast, but allow TLSv1 with strong crypto to
live much longer (that experience is a couple of years old, so they've
probably changed the policy many times over since then).
`Darn it, who spiked my coffee with water?!' - lwall
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List email@example.com
Automated List Manager firstname.lastname@example.org