We have an involved (but friendly) discussion between employees about the lifetime of the SSL session that underlies https communication.
When I establish an https connection to the server using a normal browser, the base ssl creates a session (including a shared secret) using asymmetric encryption, the rest of the communication is encrypted using (faster) symmetric encryption.
Question: on subsequent https requests (click the link) to the same server, is the old ssl session used, avoiding the overhead of asymmetric encryption to create the session key? Or is a new asymmetric encrypted ssl handshake to establish an ssl session necessary?
Or put it another way: Does an SSL session stay alive between https requests or does it end when the https request ends?
Since we are a bunch of nitpicks, a link to some official source will be appreciated here.
source
share