https client certificate logout/relogin

Árpád Magosányi picture Árpád Magosányi · May 7, 2012 · Viewed 9.1k times · Source

I have a web site using ssl certificate authentication. How to force the web browser from the server to ask again the certificate to be used? It would be useable for logout, but the use case here is switching user identity.

I remember something about directing the user to a page which have ssl settings incompatible with the current authentication certificate, but could not find the right settings.

My setup uses apache mod-ssl, but an IIS solution would also be welcome.

Update: I am specifically asking the server side: how to set up an URL on the same hostname that requires client certificates but rejects all certificates.

For Firefox, javascript:window.crypto.logout(); does work with minor user inconvenience (which I believe could be scripted around).

Answer

Bruno picture Bruno · May 7, 2012

This is rather difficult in general (and certainly one of the reasons why client-certificate usage can be tedious for most users).

From the client side, there are some JavaScript techniques, but they are not supported across the board (see this question).

Using Apache Tomcat 7, you can invalidate the SSL/TLS session using a request attribute, as described in this question.

I'm not aware of any hook that would let you do this with Apache Httpd (and mod_ssl). The mechanisms usable behind Apache Httpd (e.g. mod_php, CGI, FCGI, ...) generally don't get to be able to alter any settings or environment variables set by mod_ssl, which would be necessary to invalidate the session.

On IIS, this question is still unanswered.

The general way, from the browser point of view, is to go into its setting and clear the SSL state (this varies depending on the browser, but usually requires a couple of dialog boxes at least, not just a quick button, at least not without a plugin).