We have setup a setup a server at localhost:8081 which would be our default website. We have then opened a https port on 8443 which requires a certificate. The first time there is a request to that port Chrome/Edge shows a popup-dialog with available certificates (1 in our case). We then have a program that kicks in which does other authorizations that makes the certificate available so that the browser can send it to the server. However if we try to connect to that port a second time the browser seems to have cached the certificate and sends it to the server without showing the popup-dialog. We are sure to have invalidated all sessions at the server side. It seems the only way to reprompt the certificate is to restart the browser or go incognito. Is there any way to force the browser not to cache the certificates?
Asked
Active
Viewed 705 times
0
-
why you want this? – Crypt32 Oct 27 '21 at 16:01
-
We are using a clientside authentication that requires the clients to authorize themself through a cardreader. The card inturn has the certificate that the server port will accept. The problem we are facing is that the browser still seems to have the certificate even if the card is removed which bypasses the whole authorization process through the card. – Aigeth Magendran Oct 28 '21 at 06:33
-
1you have to configure your smart card driver to clear all certificates and authentication tokens on card removal from reader. This is the root of your problem. – Crypt32 Oct 28 '21 at 06:36
-
The certificates are cleared. I have also checked certmgr and they are gone after cardremoval. – Aigeth Magendran Oct 28 '21 at 06:51
-
Sorry but the main problem still remains, the browser still caches the certificate even after they have been removed from the computer. I have read online that it has to with Chromium based browsers and TLS v1.2 – Aigeth Magendran Oct 28 '21 at 10:33
-
Well, if this is the case, did you try to `hard refresh` the page? Just press `Ctrl+F5` and try it. But if you don't want it to be cached, you can try to disable it, refer to [this case](https://stackoverflow.com/questions/5690269/disabling-chrome-cache-for-website-development). Otherwise I think you have to use incognito mode. – Xudong Peng Oct 29 '21 at 03:02
-
Hard refresh does not work and it is not a acceptable solution for our case. – Aigeth Magendran Nov 08 '21 at 16:16
1 Answers
0
I have managed to solve it by doing two things and before that I just want to clarify what we are doing. We have a smart card reader that detects a card. If a card is inserted, chrome shows certificate dialog. After selecting the certificate the smart card reader authenticates the card through a pin dialog and sends the cards certificate to the server. If the card was removed and reinserted it should reprompt the pin dialog but in our case it did not since chrome/edge cached the session. We are using Spring boot with Apache and doing the following things solved our problem:
At requesthandler using httpResponse.addHeader("Connection","close"):
private void handleSessionUnlockRequest(HttpServletRequest httpRequest, HttpServletResponse httpResponse) throws IOException {
...
...
httpResponse.addHeader("Access-Control-Allow-Credentials",
"true");
httpResponse.addHeader("Cache-Control",
"no-cache, no-store, max-age=0, must-revalidate");
httpResponse.addHeader("Connection","close");
writer.flush();
httpRequest.getSession().invalidate();
}
At HttpConnector by setting hostConfig.setSessionTimeout(1):
private Connector getHttpConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
Http11NioProtocol protocol = (Http11NioProtocol) connector.getProtocolHandler();
connector.setScheme("https");
connector.setSecure(true);
...
...
protocol.setSslEnabledProtocols("TLSv1.2");
protocol.setClientAuth("Required");
for(SSLHostConfig hostConfig : connector.findSslHostConfigs()){
hostConfig.setSessionTimeout(1);
}
return connector;
}
Aigeth Magendran
- 55
- 4