Question about cookie protection and FormsAuthentication.Encrypt

W

William

I'm a little unclear on when exactly I would need to use
FormsAuthentication.Encrypt. If I have the cookie protection in the
web.config set to All (i.e. <forms loginUrl="login.aspx" protection="All">),
shouldn't my cookie already be encrypted and tamper-proof even if I don't
encrypt the authentication ticket using FormsAuthentication.Encrypt? What do
I gain by also using FormsAuthentication.Encrypt in addition to the the
web.config setting? Or is this more of a double-check than anything else?
 
D

Dominick Baier

You only need to call Encrypt if you are manually creating the FormsAuthenticationTicket
and adding it to the cookies collection.

If you are using FormsAuthentication.SetAuthCookie or RedirectFromLoginPage
this is done automatically for you (according to config settings).
 
W

William

Just to make sure I am clear on this... are you saying if I manually created
the authentication ticket and I don't call FormsAuthentication.Encrypt on the
ticket then the cookie will NOT be encrypted and tamper-proof? What are the
security implications of not having called FormsAuthentication.Encrypt when I
manually create the ticket? Thanks again for the information!
 
D

Dominick Baier

If you don't enforce encryption and validation - everybody can create a ticket
and use it to logon to your application - thats the implication ;)
 
W

William

Sorry.. I was a little unclear in my follow-up.. I'm trying to figure out
what the correlation between protection="all" in the web.config,
FormsAuthentication.Encrypt, and actually having the cookie be protected is.

But, based upon your responses, I think I am putting it together.. it just
took a while to sink in. Is the following statement correct?:

The built-in .NET SetAuthCookie/GetAuthCookie/RedirectFromLogin reads the
protection="all" tag from the web.config to determine whether or not to call
FormsAuthentication.Encrypt to protect the cookie. However, if I manually
create the cookie, then specifying protection="All" doesn't actually do
anything for me, since its sole purpose was to tell those 3 functions above
whether to encrypt or not.

Is that right? Thanks again for all the responses!
 
D

Dominick Baier

You are right :)

But there is a 4th purpose:

The FormsAuthenticationModule has to read the cookie on every request - the
protection setting tells the module if the cookie is ought to be encrypted
and signed.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top