In addition to the attributes currently required to be supported when a
request has been received over a secure protocol, consider adding a
requirement that that container make the value of tls_unique availbale
via the required to be supported (SSL) attributes.
tls_unique is defined in
http://tools.ietf.org/html/rfc5929
Access to this value will facilitate the practice of creating cookies and
other session identifying tokens that are bound to a specific TLS
connection (iow, that cannot be stolen and reused outside of the
TLS connection under which they were established and returned).
The attribute could be called: javax.servlet.request.tls_unique
Note that support for this attribute above JSSE will require that the
value of verifyData as conveyed in the TLS finished handshake message
be available from the SSLSession object.
Ron