Talk:OWASP Periodic Table of Vulnerabilities - Cookie Theft/Session Hijacking
This page suggests the following:
"Tie the session ID to the SSL session and provide configurable options for actions to take if the session ID is transmitted over a new SSL session. Expose integration points with perimeter technologies to facilitate SSL termination, renegotiation, and other transitions."
I believe that this is wrong and impractical. The risk of breaking the normal application flow is really big. SSL Session ID is undependable to be the basis for user identification.
More information here: http://security.stackexchange.com/questions/101440/tie-the-session-id-to-the-ssl-session http://stackoverflow.com/questions/2817325/retrieve-ssl-session-id-in-asp-net/2885177#2885177