This post refers to a way to avoid cookie theft by using a TLS Session ID as an alternative.
How would I access the TLS Session ID within ASP.NET?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
This post refers to a way to avoid cookie theft by using a TLS Session ID as an alternative.
How would I access the TLS Session ID within ASP.NET?
This was getting a bit long for comments and really is the answer:
Review the accepted answer, specifically the first paragraph here: SSL and Load Balancing
What nico posted in the link you provided is just not workable except in a very narrow use case… and requires server changes.
He even lists the real problem in his “disadvantages” section. Namely:
Until those are exposed, which I’m not convinced they ever should be, you aren’t going to get access to them within .Net. Bruno pointed out (in the question I linked to) the exact same situation. If you have a load balancer, NAT or some other appliance like an SSL concentrator then this information will never even reach your web server…