What are the advantages of tracking-mode SSL vs. COOKIE?

Question

I am creating a JSF application deployed in Tomcat/EE (with CLIENTCERTs). By default, the jsessionid (generated with a SecureRandom, so it looks safe) was set in the URL, which I disabled for security reasons by changing the SessionTrackingMode.

Now I am trying to find the security advantages/disadvantages of using:

<tracking-mode>SSL</tracking-mode> vs. <tracking-mode>COOKIE</tracking-mode>

(considering security almost always has an impact on performance and other variables). Probably one of the problems is that I do not know what SSL tracking-mode exactly does. This API documentation is not very clear.

When should I use one or the other?

PS: I know this is not specific of Tomcat or JSF but I need to give context to the question

Answer 1

I would recommend the use of cookie-based session-tracking over SSL session-tracking for a few reasons:

1. Using SSL session-tracking may prevent explicit (user-initiated) logouts
2. Using SSL session-tracking may prevent sessions from being terminated due to inactivity-timeouts
3. Using SSL session-tracking may cause unexpected logouts (due to TLS renegotiation, which changes the TLS session-id)
4. Using SSL session-tracking will make it harder to debug, troubleshoot, and generally manipulate your own application if necessary (telling a client to clear their cookies is easier and less arcane than asking them to expire their TLS session-ids)

FWIW, IBM WebSphere has dropped support for SSL-based session-tracking as of version 7.0 (circa 2008).

I don't see any advantage to using SSL-based session-tracking.