11

I'm using client certificates in SSL sessions to authenticate users, but I'm having a bit of a problem with cached sessions. (I have configured IIS to accept—not require—client certificates.)

Normal situation:
A user accesses the page that asks for the certificate. The browser launches the certificate selector, the user selects the desired certificate (and enters a PIN if needed), and everything goes forward as it should.

Situation where things don't work as expected:
A user accesses the page that asks for the certificate. The browser launches the certificate selector, and the user selects the desired certificate, but then cancels at the PIN dialog. The user is redirected to the previous page because no certificate was sent. The user tries to log in again, but the attempt automatically fails because the last SSL session was cached.

I solved this in IE using document.execCommand("ClearAuthenticationCache");, but it still doesn't work in FF or Chrome because they don't support the method. Is there any way to solve this?

SOLO
  • 868
  • 9
  • 19
RicardoSBA
  • 785
  • 1
  • 6
  • 18

3 Answers3

6

You may be interested in this discussion and this Chromium issue. In particular, you should try:

if (window.crypto) window.crypto.logout();
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • It seems it will take a while to solve... Using crypto in chrome it gives me this: TypeError: Object # has no method 'logout. According to the devs they will only implement DOMCrypto after it matured and will not implement crypto were they implemented very little. http://www.mail-archive.com/webkit-dev@lists.webkit.org/msg16213.html Important part: "I'd like to re-iterate that we have no intention of enabling this feature by default until the specification and standards process is more mature. Experimenting with this API should have very little impact on other consumers of WebKit." – RicardoSBA Mar 15 '12 at 17:25
  • 3
    As pointed out by @RuhollahDelpak, this no longer works with recent releases. – Bruno Apr 27 '15 at 13:52
4

For Chrome (at least in 19.0.1084.30 beta), it seems that, if you can set up a URL on the same hostname that requires a client certificate but rejects all certificates, then making a request to that URL will have the same effect as window.crypto.logout(). For example, if /ssl_logout/ is the specially-configured URL:

var xmlHttp = new XMLHttpRequest();
xmlHttp.onreadystatechange = function () {
    // put any actions to carry out upon logout here
};
xmlHttp.open( "GET", "/ssl_logout/", true );
xmlHttp.send();

(Using a page containing an iframe or img with src="/ssl_logout/" works, too.)

Isaac
  • 10,668
  • 5
  • 59
  • 68
  • How would you configure such a url in apache or nginx? – Nick Retallack Sep 19 '14 at 20:44
  • Is that even possible? SSL negotiation happens before the URL is transmitted, AFAIK. – David Balažic Sep 29 '14 at 13:21
  • 1
    @DavidBalažic: [The Apache documentation for `SSLVerifyClient`](http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient) says that it can be used at the directory or .htaccess levels, so it must be able to do it post-negotiation—I would imagine that the negotiation happens, the connection is established, Apache does some more work, and then can reject the cert, but I don't know enough about the underlying mechanics of HTTPS to know for sure or how it happens. I did verify at the time of posting that my answer worked (with Apache, I think). – Isaac Sep 29 '14 at 23:53
  • 1
    @NickRetallack: I believe I did it in Apache by using `SSLVerifyClient require` and `SSLVerifyDepth 0`, so that (almost) any cert would fail validation (I suppose, technically, someone could present a root cert known to Apache and that might validate...). – Isaac Sep 29 '14 at 23:56
  • Hm. I'm using nginx though, which only allows those settings on the virtualhost level. Perhaps I should have it proxy to apache for one url just to log you out? – Nick Retallack Sep 30 '14 at 20:57
  • @NickRetallack: or use the `window.crypto` solution? It seems like a better solution, just wasn't supported across various browsers 2+ years ago... maybe it is now? – Isaac Sep 30 '14 at 21:44
  • @NickRetallack: Ugh, still? That's unfortunate. And [it looks like nginx won't add more granular `ssl_verify_client`](http://trac.nginx.org/nginx/ticket/317). – Isaac Oct 01 '14 at 02:52
1

In IE6+:

document.execCommand('ClearAuthenticationCache');
Máťa - Stitod.cz
  • 885
  • 7
  • 12
  • This does not work, if the user selected no certificate. He has to restart the browser. Unless I don't know of any other solution. – David Balažic Sep 29 '14 at 14:34