Is there any ways to invalidate SSL session (ex. SSLSession.invalidate()) in the web application? The problem is that we are using client certificate authentication and after the user performs logout on re-login we need to check his client certificate again without restarting the browser. The only way to do so is to invalidate SSL session on logout. In the Servlet specification 2.1 there was a special HTTP request attribute "javax.net.ssl.session" where SSLSession object were stored. In the latter versions there are no such an attribute. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3998295#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...