How to clear SSL state in browser when user's session expires?

Question

I'm working on an ASP.NET application where our users authenticate using client certificates over HTTPS. Our users are only using IE7.

Once a client certificate has been used to authenticate successfully it stays in the browser's SSL cache until the process is closed or the user manually clears the SSL cache. We want to be able to clear the SSL cache whenever a user logs out, or their session expires, to improve the security of the system.

Our clients already use smartcards to access the system, which unload certificates automatically when the card is removed from the client computer, but this does not clear the browser cache at all, leaving a potential avenue of attack from another user who had access to the same machine as the genuine user.

I've found out how to do the actual cache clearing from JavaScript:

document.execCommand("ClearAuthenticationCache");

which works perfectly when a user explicitly logs out, as we can execute the script on the client before allowing the user to log in again.

NOTE: IE7 only lets the cache be cleared programmatically when HTTP Keep-Alives are disabled on the web server.

Here's the tricky bit - if a client's session expires, I don't know of any way to handle this in the browser before the user tries to login again. I can't clear the state when they get to the login page, because I need the state cleared and a new certificate chosen before the page executes on the server.

Any ideas? Apologies for length of question, but background is important for this one.

Answer 1

Never mind, I came up with a good solution:

• When the user successfully logs in, we create an additional session cookie that doesn't expire until the browser is closed.

• If the user comes back to the login page later and the request is unauthenticated, we check for the existence of the session cookie - if it exists, we know that the user has previously had a session, so we explicitly log them out, exactly as we do for the user-initiated logout. If the session cookie doesn't exist then we attempt to automatically log the user in using their certificate.

• The custom session cookie is deleted for each explicit log out, and re-populated for each successful login.

This gives us the best experience for the user, and guarantees that a certificate will be cached only as long as a session is still valid (15 minutes, sliding). Also, the session cookie cannot be removed by the user so there is no way to bypass this behaviour. They can't use the site without accepting session cookies either.