SSL session_id variable

Server NGINX
#1

Hi,

Is it possible to retrieve the SSL session_id variable like in Apache?
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html

Regards,
Sen

#2

On Wed, Sep 23, 2009 at 05:42:46PM +0200, Sen Haerens wrote:

Hi,

Is it possible to retrieve the SSL session_id variable like in Apache?
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html

No, but it can be added. I’m curious to know how do you plan to use it ?

#3

Igor S. wrote:

I’m curious to know how do you plan to use it ?

It can be a secure value to check against and prevent session hijacking.
http://en.wikipedia.org/wiki/Session_fixation#Solution:Utilize_SSL.2F_TLS_Session_identifier

#4

Igor S. wrote:

The attached patch adds $ssl_session_id variable.

Dear Igor,

Thank you for providing this patch.
It’s working great with Nginx 0.7.62. :wink:

Kidn regards,
Sen

#5

On Sun, Sep 27, 2009 at 08:37:50PM +0200, Sen Haerens wrote:

Igor S. wrote:

The attached patch adds $ssl_session_id variable.

Dear Igor,

Thank you for providing this patch.
It’s working great with Nginx 0.7.62. :wink:

Here is the new more correct patch.

#6

Hi Igor,

Are there any plans to add some sort of distributed SSL session cache
(like distcache for apache)?

Thanks!

Regards,
Omar

2009/9/28 Igor S. [email protected]:

#7

On Thu, Sep 24, 2009 at 02:31:48PM +0200, Sen Haerens wrote:

Igor S. wrote:

I’m curious to know how do you plan to use it ?

It can be a secure value to check against and prevent session hijacking.
http://en.wikipedia.org/wiki/Session_fixation#Solution:Utilize_SSL.2F_TLS_Session_identifier

The attached patch adds $ssl_session_id variable.

#8

On Thu, Oct 01, 2009 at 03:22:04PM +1000, Omar Kilani wrote:

Hi Igor,

Are there any plans to add some sort of distributed SSL session cache
(like distcache for apache)?

Not in near future.