Reputation: 61433
How can I access a TLS Session ID within an ASP.NET session? (To avoid BEAST cookie theft)
This post refers to a way to avoid cookie theft by using a TLS Session ID as an alternative.
How would I access the TLS Session ID within ASP.NET?
Upvotes: 1
Views: 1054
Answers (1)
Reputation: 88044
This was getting a bit long for comments and really is the answer:
Review the accepted answer, specifically the first paragraph here: SSL and Load Balancing
What nico posted in the link you provided is just not workable except in a very narrow use case... and requires server changes.
He even lists the real problem in his "disadvantages" section. Namely:
TLS session IDs must be exposed up the TLS and HTTP server-side stack (including any concentrators);
Until those are exposed, which I'm not convinced they ever should be, you aren't going to get access to them within .Net. Bruno pointed out (in the question I linked to) the exact same situation. If you have a load balancer, NAT or some other appliance like an SSL concentrator then this information will never even reach your web server...
Upvotes: 1
Related Questions
- How to secure the ASP.NET_SessionId cookie?
- Accessing ASP.NET_SessionId on HttpWebResponse C#
- How to read SESSION_ID in HttpWebResponse.Headers
- Get Client Session by Session Id
- C# keep session id over httpwebrequest
- ASP.NET_SessionID cookie is NOT in the request but shows up in Page_Load()
- Secure session cookies in ASP.NET over HTTPS
- Retrieve SSL session id in asp.net
- Get session cookie name
- What's the ID of a cookie?