Are AuthTickets Secure?

Discussion in 'ASP .Net Security' started by Dima Maltsev, Aug 23, 2006.

  1. Dima Maltsev

    Dima Maltsev Guest

    HI All,

    I've a question about AuthTickets.

    Microsoft recommends using either SSL for all pages or Envcryption to
    protect the AuthTicket. Here is the quote from the
    http://support.microsoft.com/kb/813829/ page:

    "How to Help Make Forms Authentication Secure
    • Use SSL for all pages.
    • Use the Encrypt method of the FormsAuthentication class."


    While I understand why SSL would protect the ticket, I have the following
    concern regarding the second (Encryption) option.
    If a user after logging in clicks on a page which is being served over HTTP,
    the AuthTicket is still being sent back to a browser in a cookie. Such
    requests (for non secure (HTTP) pages) can be intercepted by “a man in the
    middleâ€. Even though the AuthTicket is encrypted, it can be used as is by a
    hacker to hijack the user’s session.

    Am I missing something? Can anybody comment on this?

    Thanks,
    Dima Maltsev
    Dima Maltsev, Aug 23, 2006
    #1
    1. Advertising

  2. Dima Maltsev

    Joe Kaplan Guest

    You are right. The cookie is vulnerable to theft if the channel is not
    encypted. Use SSL for all serious secure sites.

    In my opinion, the encryption of the cookie primarily serves to make it
    opaque to the end user.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Dima Maltsev" <Dima > wrote in message
    news:...
    > HI All,
    >
    > I've a question about AuthTickets.
    >
    > Microsoft recommends using either SSL for all pages or Envcryption to
    > protect the AuthTicket. Here is the quote from the
    > http://support.microsoft.com/kb/813829/ page:
    >
    > "How to Help Make Forms Authentication Secure
    > . Use SSL for all pages.
    > . Use the Encrypt method of the FormsAuthentication class."
    >
    >
    > While I understand why SSL would protect the ticket, I have the following
    > concern regarding the second (Encryption) option.
    > If a user after logging in clicks on a page which is being served over
    > HTTP,
    > the AuthTicket is still being sent back to a browser in a cookie. Such
    > requests (for non secure (HTTP) pages) can be intercepted by "a man in the
    > middle". Even though the AuthTicket is encrypted, it can be used as is by
    > a
    > hacker to hijack the user's session.
    >
    > Am I missing something? Can anybody comment on this?
    >
    > Thanks,
    > Dima Maltsev
    >
    Joe Kaplan, Aug 23, 2006
    #2
    1. Advertising

  3. i have recently written some articles about SSL on my blog - maybe thats
    helpful:

    www.leastprivilege.com

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > HI All,
    >
    > I've a question about AuthTickets.
    >
    > Microsoft recommends using either SSL for all pages or Envcryption to
    > protect the AuthTicket. Here is the quote from the
    > http://support.microsoft.com/kb/813829/ page:
    >
    > "How to Help Make Forms Authentication Secure
    > • Use SSL for all pages.
    > • Use the Encrypt method of the FormsAuthentication class."
    > While I understand why SSL would protect the ticket, I have the
    > following
    > concern regarding the second (Encryption) option.
    > If a user after logging in clicks on a page which is being served over
    > HTTP,
    > the AuthTicket is still being sent back to a browser in a cookie. Such
    > requests (for non secure (HTTP) pages) can be intercepted by “a man in
    > the
    > middleâ€. Even though the AuthTicket is encrypted, it can be used as is
    > by a
    > hacker to hijack the user’s session.
    > Am I missing something? Can anybody comment on this?
    >
    > Thanks,
    > Dima Maltsev
    Dominick Baier, Aug 24, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. A.M
    Replies:
    5
    Views:
    5,436
    Teemu Keiski
    Jun 8, 2004
  2. Daniel Malcolm
    Replies:
    0
    Views:
    554
    Daniel Malcolm
    Jan 24, 2005
  3. zdrakec
    Replies:
    1
    Views:
    434
    zdrakec
    Jul 25, 2005
  4. Joe
    Replies:
    5
    Views:
    957
    Steven Cheng[MSFT]
    Dec 13, 2005
  5. verbal kint
    Replies:
    1
    Views:
    546
    Sudsy
    Sep 4, 2004
Loading...

Share This Page