Does there already exists an asp.net implementation for "A secure cookie protocol"

is there any (opensource) asp.net implementation (in the form of an httphandler or other) for the following paper: http://开发者_如何学编程www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf

This paper is making the assumption that an HMAC+Symmetric Cipher is sufficient for defending against all attacks against an HTTP session. This is an incorrect assumption as this still leaves the door open to MITM attacks. Further this purposed cryptographic system is better implemented as block cipher in CMAC mode, but this is equally vulnerable.

Without protecting the actual HTTP content you open the door to an xss style attack. An attacker would forward the traffic normally, but append some malicious javascript to conduct its own requests using XHR. This is assuming that other basic session security systems are in place such as "HTTP-Only" cookies.

In short, yes there is an open source protocol that protects your session from all attacks. Its SSL! SSL uses a PKI to deafened against MITM, and this is by far the best solution. HTTPS is required to be used throughout the entire session and this is a requirement of the OWASP top 10 Broken Authentication and Session Management.