0

My asp.net mvc 5 application is configured on IIS to require SSL and a client certificate in order to authenticate. I would also like the user to be able to terminate that session explicty by clicking a link/button (SSL session, not HTTP. No HTTP session is ever created).

Closing the browser seems to work with all browsers. If I do this, the next time I try to access the site I will be forced to start a new SSL session (i.e. choose a client certificate to authenticate with). Effectively, closing the browser clears its SSL cache.

If I could do this programmatically on the client, using javascript, that would be great. Or, preferably, I would like to force the server to expire it's end of the SSL session, using C#, that would be better.

This question has been asked twice before, with 0 answers given. I'm trying to get a fresh set of eyes on it, in the hope that PKI authentication is more common now than 2-4 years ago:

IIS - Reset SSL Session Programmatically

Is it possible to close/manage a SSL connection/session on IIS?

Community
  • 1
  • 1
ccsandrew
  • 51
  • 11
  • I should also note that, the client certificates are mapped to an Active Directory account using IIS's oneToOneClientCertificateMapping capability. We've imagined some pretty heinous hacks to mimic our desired logout behavior using that fact, but nothing has panned out. – ccsandrew Sep 08 '16 at 13:57

1 Answers1

1

A SSL session is either known by client and server or it is not known. There is no API to delete a specific session on the browser, i.e. all you can do is close the browser. The situation is similar on the server side, especially if the stateless session tickets are used to maintain a session. In this case it is not possible to remove a particular session but it is only possible to change the server side secret used to create these tickets which causes all sessions created with this secret to be invalid.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172