Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Lifetime of the SSL session in https

Tags:

https

ssl

session

lifetime

We have an engaged (but friendly) discussion between coworkers about the life time of the SSL session underlying a https communication.

When I establish a https connection to a server using a normal browser the underlying ssl creates a session (including a shared secret) using asymmetric encryption, the rest of the communication is encrypted using (faster) symmetric encryption.

The question is: On a subsequent https requests (click on a link) to the same server, is the old ssl session used again, avoiding the overhead of the asymmetric encryption for establishing a session key? Or is a new asymmetric encrypted ssl handshake for establishing a ssl session necessary?

Or to word it differently: Does a SSL session stays alive between https requests, or does it end with the end of the https request?

Since we are a bunch of nitpicks over here a reference to some authorative source would be apreciated.

like image 778
Jens Schauder Avatar asked Jan 05 '10 12:01

Jens Schauder

1 Answers

Tested this out with Chrome:

navigate to https://www.americanexpress.com. netstat shows:

$ netstat -n -p tcp|grep 184.86.149.155
tcp4       0      0  10.177.78.58.50311     184.86.149.155.443     ESTABLISHED
tcp4       0      0  10.177.78.58.50310     184.86.149.155.443     ESTABLISHED
tcp4       0      0  10.177.78.58.50309     184.86.149.155.443     ESTABLISHED

On navigating to other links on the website, netstat shows:

$ netstat -n -p tcp|grep 184.86.149.155
tcp4       0      0  10.177.78.58.50311     184.86.149.155.443     ESTABLISHED
tcp4       0      0  10.177.78.58.50310     184.86.149.155.443     ESTABLISHED
tcp4       0      0  10.177.78.58.50309     184.86.149.155.443     ESTABLISHED

The session was kept alive. When I closed the browser tab, and re-opened the tab, another connection was opened:

$ netstat -n -p tcp|grep 184.86.149.155
tcp4       0      0  10.177.78.58.50398     184.86.149.155.443     ESTABLISHED
tcp4       0      0  10.177.78.58.50311     184.86.149.155.443     ESTABLISHED
tcp4       0      0  10.177.78.58.50310     184.86.149.155.443     ESTABLISHED
tcp4       0      0  10.177.78.58.50309     184.86.149.155.443     ESTABLISHED

It would appear that modern browsers utilize the same keep-alive timeouts as http. These timeouts can be viewed here:

http://gabenell.blogspot.com/2010/11/connection-keep-alive-timeouts-for.html

like image 110
PressingOnAlways Avatar answered Oct 05 '22 23:10

PressingOnAlways
Sign in to Comment

Related questions

How to log out a user when a session times out or ends
What to use for session management?
In detail, what happens when you press Ctrl-C in a terminal?
Is there any limitations for google colab other than the session timeout after 12 hours?
problem saveOrUpdate object Hibernate (a different object with the same identifier session) [duplicate]
Error messages stored in SESSION
How to preserve session through all tests on phpunit?
Sessions Failover with PHP-memcache against memcached
ASP.NET Kill Session By Id
HttpContext.Current.Session is null + OWIN
Ensuring session strict mode in custom SessionHandlerInterface implementation
What are the advantages of tracking-mode SSL vs. COOKIE?
Session Id Length in Tomcat
How to configure Module.php in Zend Framework 2 to redirect the user if is not in session (if he is not logged in)?
Phantomjs and sessions
nHibernate session and multithreading
How does one store and retrieve custom session variables in Drupal 6?
How can I upload a file and save it to a Stream for further preview using C#?
PHP Sessions Not Extending Cookie Expiration on Each Request
Using Session Cookies in React

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!