Are AuthTickets Secure?

D

Dima Maltsev

HI All,

I've a question about AuthTickets.

Microsoft recommends using either SSL for all pages or Envcryption to
protect the AuthTicket. Here is the quote from the
http://support.microsoft.com/kb/813829/ page:

"How to Help Make Forms Authentication Secure
• Use SSL for all pages.
• Use the Encrypt method of the FormsAuthentication class."


While I understand why SSL would protect the ticket, I have the following
concern regarding the second (Encryption) option.
If a user after logging in clicks on a page which is being served over HTTP,
the AuthTicket is still being sent back to a browser in a cookie. Such
requests (for non secure (HTTP) pages) can be intercepted by “a man in the
middleâ€. Even though the AuthTicket is encrypted, it can be used as is by a
hacker to hijack the user’s session.

Am I missing something? Can anybody comment on this?

Thanks,
Dima Maltsev
 
J

Joe Kaplan

You are right. The cookie is vulnerable to theft if the channel is not
encypted. Use SSL for all serious secure sites.

In my opinion, the encryption of the cookie primarily serves to make it
opaque to the end user.

Joe K.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Secure XML transfer to Server? 0
strange Formsauthentication behavior 1
Detecting Secure requesting when hardware based SSL offloading is 1
FormsAuthentication Encrypt/Decrypt Problem/Issue 0
ECMAScript Secure Transform. My idea, i think... 2
Forms Auth (roles being ignored) 0
Are you fed-up with people "viewing" your code, and stealing your HTML code ? 11
Users are timing out, even while they work 6

Members online

Total: 38 (members: 2, guests: 36)
Robots: 309

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,013
Latest member
KatriceSwa

Latest Threads

Top