Lifetime of the SSL session in https

Question

We have an engaged (but friendly) discussion between coworkers about the life time of the SSL session underlying a https communication.

When I establish a https connection to a server using a normal browser the underlying ssl creates a session (including a shared secret) using asymmetric encryption, the rest of the communication is encrypted using (faster) symmetric encryption.

The question is: On a subsequent https requests (click on a link) to the same server, is the old ssl session used again, avoiding the overhead of the asymmetric encryption for establishing a session key? Or is a new asymmetric encrypted ssl handshake for establishing a ssl session necessary?

Or to word it differently: Does a SSL session stays alive between https requests, or does it end with the end of the https request?

Since we are a bunch of nitpicks over here a reference to some authorative source would be apreciated.

Answer 1

See section 2.2 of http://www.ietf.org/rfc/rfc2818.txt and section 8.1 of http://www.ietf.org/rfc/rfc2616.txt

In essence, the SSL session SHOULD be maintained while the client maintains a persistent connection.

For more information about the implementation of persistent connections in popular browsers see http://en.wikipedia.org/wiki/HTTP_persistent_connection#Use_in_web_browsers

Answer 2

If your browser supports session resuming and the server has cached the session, then you may be able to continue a session between connections, GNUTLS supports this and you can see a demo here:

https://test.gnutls.org:5556/