https客户端证书注销/重新登录 [英] https client certificate logout/relogin
问题描述
我有一个使用ssl证书认证的网站。
如何强制Web浏览器从服务器再次询问要使用的证书?
这将是可用于注销,但在这里的用例是切换用户身份。
我记得有关指导用户到一个页面有ssl设置
我的设置使用apache mod-ssl,但也欢迎IIS解决方案。
更新:
我特别询问服务器端:如何在要求客户端证书但拒绝所有证书的同一主机名上设置URL。
对于Firefox, javascript:window.crypto.logout(); 可以处理小用户不便(我相信可以)。
这通常是相当困难的(当然,客户端证书使用对于大多数用户)。
从客户端,有一些JavaScript技术,但它们不是全面支持的(参见 使用Apache Tomcat 7,您可以使用request属性使SSL / TLS会话无效,如此问题中所述。 我不知道的任何钩子,让你这样做与Apache Httpd(和 在IIS上,这个问题仍然没有得到答复。 从浏览器的角度来看,它的设置和清除SSL状态(这取决于浏览器,但通常需要至少几个对话框,不只是一个快速按钮,至少没有插件)。 I have a web site using ssl certificate authentication.
How to force the web browser from the server to ask again the certificate to be used?
It would be useable for logout, but the use case here is switching user identity. I remember something about directing the user to a page which have ssl settings incompatible with the current authentication certificate, but could not find the right settings. My setup uses apache mod-ssl, but an IIS solution would also be welcome. Update:
I am specifically asking the server side: how to set up an URL on the same hostname that requires client certificates but rejects all certificates. For Firefox, This is rather difficult in general (and certainly one of the reasons why client-certificate usage can be tedious for most users). From the client side, there are some JavaScript techniques, but they are not supported across the board (see this question). Using Apache Tomcat 7, you can invalidate the SSL/TLS session using a request attribute, as described in this question. I'm not aware of any hook that would let you do this with Apache Httpd (and On IIS, this question is still unanswered. The general way, from the browser point of view, is to go into its setting and clear the SSL state (this varies depending on the browser, but usually requires a couple of dialog boxes at least, not just a quick button, at least not without a plugin). 这篇关于https客户端证书注销/重新登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
mod_ssl )。 Apache Httpd后面可用的机制(例如 mod_php ,CGI,FCGI ...)一般不能改变由<$设置的任何设置或环境变量
javascript:window.crypto.logout(); does work with minor user inconvenience (which I believe could be scripted around).mod_ssl). The mechanisms usable behind Apache Httpd (e.g. mod_php, CGI, FCGI, ...) generally don't get to be able to alter any settings or environment variables set by mod_ssl, which would be necessary to invalidate the session.
