D
Dima Maltsev
HI All,
I've a question about AuthTickets.
Microsoft recommends using either SSL for all pages or Envcryption to
protect the AuthTicket. Here is the quote from the
http://support.microsoft.com/kb/813829/ page:
"How to Help Make Forms Authentication Secure
• Use SSL for all pages.
• Use the Encrypt method of the FormsAuthentication class."
While I understand why SSL would protect the ticket, I have the following
concern regarding the second (Encryption) option.
If a user after logging in clicks on a page which is being served over HTTP,
the AuthTicket is still being sent back to a browser in a cookie. Such
requests (for non secure (HTTP) pages) can be intercepted by “a man in the
middleâ€. Even though the AuthTicket is encrypted, it can be used as is by a
hacker to hijack the user’s session.
Am I missing something? Can anybody comment on this?
Thanks,
Dima Maltsev
I've a question about AuthTickets.
Microsoft recommends using either SSL for all pages or Envcryption to
protect the AuthTicket. Here is the quote from the
http://support.microsoft.com/kb/813829/ page:
"How to Help Make Forms Authentication Secure
• Use SSL for all pages.
• Use the Encrypt method of the FormsAuthentication class."
While I understand why SSL would protect the ticket, I have the following
concern regarding the second (Encryption) option.
If a user after logging in clicks on a page which is being served over HTTP,
the AuthTicket is still being sent back to a browser in a cookie. Such
requests (for non secure (HTTP) pages) can be intercepted by “a man in the
middleâ€. Even though the AuthTicket is encrypted, it can be used as is by a
hacker to hijack the user’s session.
Am I missing something? Can anybody comment on this?
Thanks,
Dima Maltsev