On 22:36 Mon 27 Apr, Norman Feske wrote:
This leads to the following question: can the server refuse to close a session?
yes, a server may ignore the session-close request. Servers that are used by clients of different security levels (e.g., the nitpicker GUI server that serves both untrusted clients and security-critical clients at the same time) must be designed and implemented with special care. Besides the correct response to session-close requests, another consideration is the adherence to the security policy as configured by the parent. The mere fact that a server is a child of its parent does not imply that the parent won't need to trust it in some respects.
In cases where is not viable to trust the server (e.g., because the server is based on ported software that is too complex for thorough evaluation), certain security properties such as the effectiveness of closing sessions could be enforced by a small (and thereby trustworthy) intermediate server that sits in-between the real server and the client. This intermediate server would then effectively wrap the server's session interface.
Thanks for the detailed clarification!
--prashanth