$Web End SSLSes: Difference between revisions
m (1 revision) |
m (1 revision) |
||
| Line 10: | Line 10: | ||
$Web_End_SSLSes takes no arguments and returns a status code. It is a callable $function (see [[Calling_Sirius_Mods_$functions|Calling Sirius Mods $functions]]). | $Web_End_SSLSes takes no arguments and returns a status code. It is a callable $function (see [[Calling_Sirius_Mods_$functions|"Calling Sirius Mods $functions"]]). | ||
<table class="syntaxTable"> | <table class="syntaxTable"> | ||
<tr><th>Code</th> | <tr><th>Code</th> | ||
Revision as of 19:14, 12 October 2012
<section begin="desc" />Terminate an SSL session<section end="desc" />
$Web_End_SSLSes terminates an SSL session.
Syntax
<section begin="syntax" /> %RC = $Web_End_SSLSes <section end="syntax" />
$Web_End_SSLSes takes no arguments and returns a status code. It is a callable $function (see "Calling Sirius Mods $functions").
| Code | Meaning |
|---|---|
| -1 | Not a Web Server thread. |
| 0 | Session terminated. |
| 1 | A Web Server thread but not an SSL connection. |
$WEB_END_SSLSES return codes
The most likely reason to use $Web_End_SSLSes is to force a Janus Web Server client, that is, a browser, to re-send the previously sent client certificate or to send a new one. This is especially useful if user login sessions are being maintained via SSLSES and the userid had been derived directly or indirectly from the client certificate. It would also be useful in cases where client certificate information is used to control access to certain resources.
Forcing or allowing a browser to send a new client certificate lets the browser's end user change "roles" by sending a certificate associated with the new role. For example, a single end user might be allowed to view corporate accounting information and personnel information for her own department. Access to these two areas might be authorized by two different client certificates. So if the user attempted to access the personnel information while the accounting certificate was "active," it might be useful for the personnel application to do a $WEB_END_SSLSES, then redirect the browser back to the originally requested URL to allow the user to present a different client certificate.
$Web_End_SSLSes might also be useful to force an end user to resend a client certificate when a NEWSESCMD is run because of a timed out session. While this situation might be difficult to detect, it should be possible with the use of an indicator cookie that is set after a successful $SIR_LOGIN and cleared after a $WEB_ENDSSLSES.
Finally, $Web_End_SSLSes can be used in a "logout" page that terminates the use of a client certificate on a public or semi-public workstation, though it may be questionable to depend on end users remembering to go to the logout page to terminate a session. It is probably better to train end users to completely exit the browser when on a public or semi-public workstation, which should end all SSL sessions with all servers.