Session tracking via SSL session ids is currently not supported in GlassFish, but would be trivial to implement, since the HTTPS engine already exposes the SSL session id of HTTPS requests to the servlet container via the (proprietary) "javax.servlet.request.ssl_session" request attribute.
I am going to file an enhancement request to have this type of session tracking supported by GlassFish v3.
This would also be the right time to have the Servlet EG agree on a standard name for this type of request attribute.
While the Servlet spec already defines request attribute names "javax.servlet.request.cipher_suite", "javax.servlet.request.key_size", and "javax.servlet.request.X509Certificate", whose corresponding attribute values carry the SSL cipher suite, cryptographic key size, and client certificate chain, respectively, it does not define any attribute name for the the SSL session id.
I will propose to the Servlet EG that "javax.servlet.request.ssl_session" (or better "javax.servlet.request.ssl_session_id") be added to the list of standard attribute names.
[Message sent by forum member 'jluehe' (jluehe)]
http://forums.java.net/jive/thread.jspa?messageID=267416