C
CW
It's recommended that when signing on using FormsAuthentication, one should
do so over a secure (SSL) channel.
If I understand FormsAuthentication mechanism correctly, the Authentication
ticket generated is then appended to every single page requests that need to
be authorized. Thus, if I only use SSL to protect the SignIn page but not
the other pages (which require authorization), Authentication ticket can be
spoofed and hijacked. The only way to ensure against that is to make sure
all pages that require authentication run on SSL - which can be quite a lot
of overhead. What bothers me is that there are a lot of commercial sites
which only use SSL at the login page. (A good example is Hotmail - which
uses SSL to authenticate user and then redirects to non-secure pages - of
course I do know Hotmail uses Passport authentication scheme, but I suspect
it's equally vulnerable to spoofing/sniffing attacks).
Any comments and thoughts?
do so over a secure (SSL) channel.
If I understand FormsAuthentication mechanism correctly, the Authentication
ticket generated is then appended to every single page requests that need to
be authorized. Thus, if I only use SSL to protect the SignIn page but not
the other pages (which require authorization), Authentication ticket can be
spoofed and hijacked. The only way to ensure against that is to make sure
all pages that require authentication run on SSL - which can be quite a lot
of overhead. What bothers me is that there are a lot of commercial sites
which only use SSL at the login page. (A good example is Hotmail - which
uses SSL to authenticate user and then redirects to non-secure pages - of
course I do know Hotmail uses Passport authentication scheme, but I suspect
it's equally vulnerable to spoofing/sniffing attacks).
Any comments and thoughts?