Lifetime of the SSL session in https

session ssl https lifetime
Jens Schauder picture Jens Schauder · Jan 5, 2010 · Viewed 16k times · Source

We have an engaged (but friendly) discussion between coworkers about the life time of the SSL session underlying a https communication.

When I establish a https connection to a server using a normal browser the underlying ssl creates a session (including a shared secret) using asymmetric encryption, the rest of the communication is encrypted using (faster) symmetric encryption.

The question is: On a subsequent https requests (click on a link) to the same server, is the old ssl session used again, avoiding the overhead of the asymmetric encryption for establishing a session key? Or is a new asymmetric encrypted ssl handshake for establishing a ssl session necessary?

Or to word it differently: Does a SSL session stays alive between https requests, or does it end with the end of the https request?

Since we are a bunch of nitpicks over here a reference to some authorative source would be apreciated.

Answer

PressingOnAlways picture PressingOnAlways · Oct 23, 2012

Tested this out with Chrome:

navigate to https://www.americanexpress.com. netstat shows:

$ netstat -n -p tcp|grep 184.86.149.155
tcp4       0      0  10.177.78.58.50311     184.86.149.155.443     ESTABLISHED
tcp4       0      0  10.177.78.58.50310     184.86.149.155.443     ESTABLISHED
tcp4       0      0  10.177.78.58.50309     184.86.149.155.443     ESTABLISHED

On navigating to other links on the website, netstat shows:

$ netstat -n -p tcp|grep 184.86.149.155
tcp4       0      0  10.177.78.58.50311     184.86.149.155.443     ESTABLISHED
tcp4       0      0  10.177.78.58.50310     184.86.149.155.443     ESTABLISHED
tcp4       0      0  10.177.78.58.50309     184.86.149.155.443     ESTABLISHED

The session was kept alive. When I closed the browser tab, and re-opened the tab, another connection was opened:

$ netstat -n -p tcp|grep 184.86.149.155
tcp4       0      0  10.177.78.58.50398     184.86.149.155.443     ESTABLISHED
tcp4       0      0  10.177.78.58.50311     184.86.149.155.443     ESTABLISHED
tcp4       0      0  10.177.78.58.50310     184.86.149.155.443     ESTABLISHED
tcp4       0      0  10.177.78.58.50309     184.86.149.155.443     ESTABLISHED

It would appear that modern browsers utilize the same keep-alive timeouts as http. These timeouts can be viewed here:

http://gabenell.blogspot.com/2010/11/connection-keep-alive-timeouts-for.html

Related questions

Reusing SSL Sessions in Android with HttpClient

I'm having a lot of difficulty resuming an SSL session on Android using HttpClient. I'm polling a server every 90 seconds (it's for industrial devices with one function only), so I need to resume the session or else data use skyrockets …

Read More
How do I expire a PHP session after 30 minutes?

I need to keep a session alive for 30 minutes and then destroy it.

Read More
PHP Pass variable to next page

It seems pretty simple but I can't find a good way to do it. Say in the first page I create a variable $myVariable = "Some text"; And the form's action for that page is "Page2.php". So in Page2.php, …

Read More