Apache “SSLSessionCacheTimeout” with Client Certs


After logging onto my web app, users need to authenticate with a X.509 cert.

After a period of inactivity, a user will try to continue using the site. At that point, a new session will be attempted to be made, but fail. It fails due to the fact that re-authentication is not occurring.

If I were to increase Apache's SSLSessionCacheTimeout to, let's say, 8 hours , would the client no longer need to re-authenticate during session creation?

Note – assuming a new session needs to be created within the 8 hours set for the Apache SSLSessionCacheTimeout.

EDIT Or, does the SSL session not impact HTTPS sessions at all?

Best Solution

Take a look at the Apache SSL documentation http://www.apache-ssl.org/docs.html Look for "SSLSessionCacheTimeout" according to the documentation increasing the value of this setting should work.