Search code examples
google-chromemicrosoft-edgex509certificatetls1.2

Require browser to not cache certificates

We have setup a setup a server at localhost:8081 which would be our default website. We have then opened a https port on 8443 which requires a certificate. The first time there is a request to that port Chrome/Edge shows a popup-dialog with available certificates (1 in our case). We then have a program that kicks in which does other authorizations that makes the certificate available so that the browser can send it to the server. However if we try to connect to that port a second time the browser seems to have cached the certificate and sends it to the server without showing the popup-dialog. We are sure to have invalidated all sessions at the server side. It seems the only way to reprompt the certificate is to restart the browser or go incognito. Is there any way to force the browser not to cache the certificates?

Solution

  • I have managed to solve it by doing two things and before that I just want to clarify what we are doing. We have a smart card reader that detects a card. If a card is inserted, chrome shows certificate dialog. After selecting the certificate the smart card reader authenticates the card through a pin dialog and sends the cards certificate to the server. If the card was removed and reinserted it should reprompt the pin dialog but in our case it did not since chrome/edge cached the session. We are using Spring boot with Apache and doing the following things solved our problem:

    At requesthandler using httpResponse.addHeader("Connection","close"):

    private void handleSessionUnlockRequest(HttpServletRequest httpRequest, HttpServletResponse httpResponse) throws IOException {
    ...
    ...
    httpResponse.addHeader("Access-Control-Allow-Credentials",
            "true");
    httpResponse.addHeader("Cache-Control",
            "no-cache, no-store, max-age=0, must-revalidate");
    httpResponse.addHeader("Connection","close");


    writer.flush();
    httpRequest.getSession().invalidate();
}

    At HttpConnector by setting hostConfig.setSessionTimeout(1):

     private Connector getHttpConnector() {
    Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
    Http11NioProtocol protocol = (Http11NioProtocol) connector.getProtocolHandler();
    connector.setScheme("https");
    connector.setSecure(true);
    ...
    ...
    protocol.setSslEnabledProtocols("TLSv1.2");
    protocol.setClientAuth("Required");
    for(SSLHostConfig hostConfig : connector.findSslHostConfigs()){
        hostConfig.setSessionTimeout(1);
    }

    return connector;

}