如何清除SSL状态，当浏览器用户的会话过期？ [英] How to clear SSL state in browser when user's session expires?

问题描述

我工作的一个ASP.NET应用程序，其中我们的用户使用客户端证书通过HTTPS进行身份验证。我们的用户只使用IE7。

I'm working on an ASP.NET application where our users authenticate using client certificates over HTTPS. Our users are only using IE7.

在一个客户端证书已被用于验证成功它停留在浏览器的SSL缓存直至处理被关闭或用户手动清除SSL缓存。我们希望能够清除SSL缓存每当一个用户注销，或他们的会话过期，提高了系统的安全性。

Once a client certificate has been used to authenticate successfully it stays in the browser's SSL cache until the process is closed or the user manually clears the SSL cache. We want to be able to clear the SSL cache whenever a user logs out, or their session expires, to improve the security of the system.

我们的客户已经在使用智能卡来访问系统，当自动将卡从客户端计算机中删除它卸载证书，但这并不能清除浏览器缓存可言，留下潜在的攻击途径从谁曾访问权限的用户在同一台机器的正版用户。

Our clients already use smartcards to access the system, which unload certificates automatically when the card is removed from the client computer, but this does not clear the browser cache at all, leaving a potential avenue of attack from another user who had access to the same machine as the genuine user.

我已经发现了如何从JavaScript做实际清除缓存：

I've found out how to do the actual cache clearing from JavaScript:

document.execCommand（ClearAuthenticationCache）;

document.execCommand("ClearAuthenticationCache");

这完美的作品，当用户明确注销，因为我们可以让用户再次登录之前执行客户端上的脚本。

which works perfectly when a user explicitly logs out, as we can execute the script on the client before allowing the user to log in again.

请注意：IE7只允许在保持HTTP的Web服务器上禁用缓存编程方式清除

NOTE: IE7 only lets the cache be cleared programmatically when HTTP Keep-Alives are disabled on the web server.

下面是棘手位 - 如果一个客户端的会话到期，我不知道任何方式在浏览器来处理这个用户尝试再次登录之前。我不能清除状态时，他们到达登录页面，因为我需要状态清除和页面在服务器上执行之前，新证书选择。

Here's the tricky bit - if a client's session expires, I don't know of any way to handle this in the browser before the user tries to login again. I can't clear the state when they get to the login page, because I need the state cleared and a new certificate chosen before the page executes on the server.

任何想法？对于问题的长度，但背景是道歉为这一个重要的。

Any ideas? Apologies for length of question, but background is important for this one.

推荐答案

没关系，我想出了一个好办法：

Never mind, I came up with a good solution:

• 当用户成功登录，我们创建一个不到期，直到浏览器关闭额外的会话cookie。

• When the user successfully logs in, we create an additional session cookie that doesn't expire until the browser is closed.

如果用户回来后登录页面，要求非认证，我们的会话cookie的存在检查 - 如果存在的话，我们知道，用户拥有previously进行了对话，所以我们明确地记录他们，正是因为我们对用户发起的注销事情。如果会话cookie不那么我们尝试自动登录用户使用其证书存在。

If the user comes back to the login page later and the request is unauthenticated, we check for the existence of the session cookie - if it exists, we know that the user has previously had a session, so we explicitly log them out, exactly as we do for the user-initiated logout. If the session cookie doesn't exist then we attempt to automatically log the user in using their certificate.

Cookie是每一个明确的删除自定义会话注销，并重新填充每个成功登录。

The custom session cookie is deleted for each explicit log out, and re-populated for each successful login.

这给了我们为用户提供最佳体验，并保证证书只要将只作为会话仍然是有效的缓存（15分钟，滑动）。另外，会话cookie不能被用户取出，所以没有办法绕过此行为。不接受会话cookie它们无法使用本网站。

This gives us the best experience for the user, and guarantees that a certificate will be cached only as long as a session is still valid (15 minutes, sliding). Also, the session cookie cannot be removed by the user so there is no way to bypass this behaviour. They can't use the site without accepting session cookies either.

这篇关于如何清除SSL状态，当浏览器用户的会话过期？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！