Authentication Cookie subject to spoofing/sniffing attacks?

Discussion in 'ASP .Net' started by CW, May 2, 2004.

  1. CW

    CW Guest

    It's recommended that when signing on using FormsAuthentication, one should
    do so over a secure (SSL) channel.

    If I understand FormsAuthentication mechanism correctly, the Authentication
    ticket generated is then appended to every single page requests that need to
    be authorized. Thus, if I only use SSL to protect the SignIn page but not
    the other pages (which require authorization), Authentication ticket can be
    spoofed and hijacked. The only way to ensure against that is to make sure
    all pages that require authentication run on SSL - which can be quite a lot
    of overhead. What bothers me is that there are a lot of commercial sites
    which only use SSL at the login page. (A good example is Hotmail - which
    uses SSL to authenticate user and then redirects to non-secure pages - of
    course I do know Hotmail uses Passport authentication scheme, but I suspect
    it's equally vulnerable to spoofing/sniffing attacks).

    Any comments and thoughts?
    CW, May 2, 2004
    #1
    1. Advertising

  2. "CW" <a> wrote in message news:...
    > It's recommended that when signing on using FormsAuthentication, one

    should
    > do so over a secure (SSL) channel.
    >
    > If I understand FormsAuthentication mechanism correctly, the

    Authentication
    > ticket generated is then appended to every single page requests that need

    to
    > be authorized. Thus, if I only use SSL to protect the SignIn page but not
    > the other pages (which require authorization), Authentication ticket can

    be
    > spoofed and hijacked.


    Maybe Microsoft considered this already?
    --
    John Saunders
    John.Saunders at SurfControl.com
    John Saunders, May 3, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron

    html referrer spoofing

    Aaron, Jan 25, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    6,051
    Chris Jackson
    Jan 26, 2004
  2. Hugo
    Replies:
    5
    Views:
    2,163
    Mark Space
    Jun 5, 2008
  3. Mufasa
    Replies:
    4
    Views:
    757
    Mufasa
    Sep 19, 2008
  4. George Durzi

    Spoofing Outlook Web Access cookie

    George Durzi, Sep 18, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    174
    George Durzi
    Sep 18, 2003
  5. Matt

    spoofing in asp

    Matt, Jan 22, 2004, in forum: ASP General
    Replies:
    3
    Views:
    139
    Jeff Cochran
    Jan 22, 2004
Loading...

Share This Page