Hi all,
is there any way to retrieve the SSL session Id serverside in asp.net?
thanks in advance and greetings
Tim
A:
Tim,
Are you really "just" trying to retrieve the Session ID string or do you maybe lose all session information when switching to SSL? this would be a quite common problem, because the session on serverside is lost when using "InProc" session storage, and the session cookie on the client might be lost when not stored in a common domain.
Therefore, you should switch to state server or sql server session management in Web.config file, for example:
<sessionState mode="SQLServer"
cookieless="true"
regenerateExpiredSessionId="true"
timeout="30"
sqlConnectionString="Data Source=MySqlServer;Integrated Security=SSPI;"
stateNetworkTimeout="30" />
Beside that, I don't really know why you shouldn't be able to retrieve HttpContext.Current.Session.SessionID also in SSL mode as well.
Some MSDN Links:
Maybe this helps somehow.
Best regards
moonground.de
2010-05-21 07:18:18
hi, thx for the answering, but I'm not looking for the ASP.NET SessionId but for the SSL Session Identifier (read http://www.eventhelix.com/realtimemantra/networking/ssl.pdf )
Tim Mahy
2010-05-21 11:55:14
Ok Tim, now I understand. Then just ignore my reply. I think that IF this information is kept somewhere, the only place would be probably the HTTP Headers. "HttpRequest.ServerVariables" contains interesting predefined Variables like: "ALL_RAW" (All Http Headers) and others. See: http://msdn.microsoft.com/en-us/library/ms524602%28VS.90%29.aspx Maybe this helps.
moonground.de
2010-05-21 12:38:42
+1
A:
Hi Tim, the short answer is no. This is an intentional limitation of IIS, so as to prevent people from taking a dependency on something that isn't dependable.
Out on the market, you will find various hardware load-balancers that will offer features like server persistence based on SSL Session ID, but they don't work very well because SSL renegotiation can happen at any time. In Internet Explorer 8, for example, a new SSL session is negotiated for every tab that is opened to a web site. You can expect similar behaviour from other multi-process browsers. So, I must stress that you should not use SSL Session ID for any kind of user identification purposes.
That said -- If you really need the SSL Session ID information for some specialized task, I recommend using Apache, mod_ssl and mod_proxy as a front-end to your IIS system. With a bit of fiddling, you could coerce mod_ssl into giving you the session ID, which you could then add to a proxied request to your IIS server as a query string parameter.... or you could store it in a database.
Warren
2010-05-21 19:59:36
thx, I didn't know IE performed renegotiation, my intented use is not applyable anymore knowning that...
Tim Mahy
2010-05-22 10:02:41
Just as a further FYI, I dug up a blog posting from one of the guys on the MS Exchange team that touches on how this issue affects OWA deployments:http://blogs.msdn.com/brad_hughes/archive/2009/10/15/internet-explorer-8-impacts-owa-load-balancing-scenarios.aspx
Warren
2010-05-22 13:25:17