Authentication Cookie subject to spoofing/sniffing attacks?

C

CW

It's recommended that when signing on using FormsAuthentication, one should
do so over a secure (SSL) channel.

If I understand FormsAuthentication mechanism correctly, the Authentication
ticket generated is then appended to every single page requests that need to
be authorized. Thus, if I only use SSL to protect the SignIn page but not
the other pages (which require authorization), Authentication ticket can be
spoofed and hijacked. The only way to ensure against that is to make sure
all pages that require authentication run on SSL - which can be quite a lot
of overhead. What bothers me is that there are a lot of commercial sites
which only use SSL at the login page. (A good example is Hotmail - which
uses SSL to authenticate user and then redirects to non-secure pages - of
course I do know Hotmail uses Passport authentication scheme, but I suspect
it's equally vulnerable to spoofing/sniffing attacks).

Any comments and thoughts?
 
J

John Saunders

CW said:
It's recommended that when signing on using FormsAuthentication, one should
do so over a secure (SSL) channel.

If I understand FormsAuthentication mechanism correctly, the Authentication
ticket generated is then appended to every single page requests that need to
be authorized. Thus, if I only use SSL to protect the SignIn page but not
the other pages (which require authorization), Authentication ticket can be
spoofed and hijacked.

Maybe Microsoft considered this already?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top