How to Disable Session ID Caching in curl

By default, curl and its underlying library, libcurl, cache SSL/TLS session IDs to optimize performance and speed up subsequent connections to the same host. While this is beneficial for reducing handshake latency, there are situations—such as SSL/TLS testing, load balancer debugging, or security auditing—where you need to force a full handshake for every request. This article explains how to disable SSL session ID caching using both libcurl and the curl command-line tool.

Disabling Session ID Caching in libcurl (C/C++)

If you are developing an application using libcurl, you can disable session ID caching by using the curl_easy_setopt function with the CURLOPT_SSL_SESSIONID_CACHE option.

By default, this option is enabled (set to 1L). To disable it, set the value to 0L before performing the request:

#include <curl/curl.h>

CURL *curl = curl_easy_init();
if(curl) {
    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
    
    // Disable SSL session ID caching
    curl_easy_setopt(curl, CURLOPT_SSL_SESSIONID_CACHE, 0L);
    
    curl_easy_perform(curl);
    curl_easy_cleanup(curl);
}

Disabling Session ID Caching in PHP curl

In PHP, you can achieve the same result by passing CURLOPT_SSL_SESSIONID_CACHE as false to the curl_setopt() function:

<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://example.com");

// Disable SSL session ID caching
curl_setopt($ch, CURLOPT_SSL_SESSIONID_CACHE, false);

curl_exec($ch);
curl_close($ch);
?>

Disabling Session ID Caching in the curl Command Line

The standard command-line tool curl does not have a dedicated, direct flag to disable the CURLOPT_SSL_SESSIONID_CACHE option. However, command-line curl only caches SSL session IDs within the lifecycle of a single execution.

To ensure session ID caching is bypassed:

  1. Use Separate Commands: If you are running multiple requests, execute them as separate curl commands in your terminal or script instead of passing multiple URLs to a single curl invocation. Every time the curl command terminates, the session cache is completely destroyed.
  2. Disable Connection Reuse: You can force curl to close the connection immediately after the request is complete by using the -H "Connection: close" header, which prevents TCP and SSL reuse on subsequent operations in the same command:
curl -H "Connection: close" https://example.com