guidance using Forms authentication

Discussion in 'ASP .Net Security' started by Rob Millman, Oct 12, 2004.

  1. Rob Millman

    Rob Millman Guest

    There is lots of discussion of security issues and authentication techniques,
    pros/cons of different technologies and patterns, etc.

    I'm looking for "Best Guidance" for a web site that will be available to the
    public, with a login using username/password. FormsAuthentication seems like
    a straight forward solution. However, most discussions urge SSL for the
    login form. What about sending the authentication cookie back and forth with
    every request? Is this vulnerable to replay attacks? Even using passport,
    if someone sniffs the line and catches the cookie, can't it be used to
    impersonate that specific logged in user? Isn't the ASP.NET session cookie
    also vulnerable to this type of problem?

    What am I missing? or should all traffic go SSL to avoid all of this?

    Any guidance is much appreciated.

    Robert Millman
     
    Rob Millman, Oct 12, 2004
    #1
    1. Advertising

  2. SSL is important for the password page because you want to make sure the
    user's password isn't sent over the wire in clear text.

    It is definitely possible for the session cookie or auth cookie to get
    stolen and allow the user to be hijacked. This is one good reason to use
    SSL for everything if you can afford the loss of scalability. There was
    also a good article in MSDN Magazine by Jeff Prosise recently discussing
    session hijacking and things you could do to prevent it:

    http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/

    In the end, it will come down to how critical your security needs are, but
    it is definitely a good idea to understand your risks as well as possible
    and that article will certainly help.

    Joe K.

    "Rob Millman" <> wrote in message
    news:...
    > There is lots of discussion of security issues and authentication
    > techniques,
    > pros/cons of different technologies and patterns, etc.
    >
    > I'm looking for "Best Guidance" for a web site that will be available to
    > the
    > public, with a login using username/password. FormsAuthentication seems
    > like
    > a straight forward solution. However, most discussions urge SSL for the
    > login form. What about sending the authentication cookie back and forth
    > with
    > every request? Is this vulnerable to replay attacks? Even using
    > passport,
    > if someone sniffs the line and catches the cookie, can't it be used to
    > impersonate that specific logged in user? Isn't the ASP.NET session
    > cookie
    > also vulnerable to this type of problem?
    >
    > What am I missing? or should all traffic go SSL to avoid all of this?
    >
    > Any guidance is much appreciated.
    >
    > Robert Millman
     
    Joe Kaplan \(MVP - ADSI\), Oct 12, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,544
    Tommy
    Feb 13, 2004
  2. Brett Smith
    Replies:
    2
    Views:
    468
    Brett Smith
    Oct 26, 2004
  3. =?Utf-8?B?Z2VvZGV2?=
    Replies:
    2
    Views:
    602
    Brock Allen
    Mar 30, 2005
  4. JEFF
    Replies:
    1
    Views:
    1,043
    =?Utf-8?B?YnJpYW5zW01DU0Rd?=
    Nov 12, 2007
  5. Eric
    Replies:
    2
    Views:
    607
Loading...

Share This Page