Forms Authentication Security

[mail747097]

I have created a website that uses forms authentication
<authentication mode="Forms"/>. I have traced the response sent from
the web browser after the user has entered a password and pressed
Login. The password is then sent in clear text. Is the only way not to
have the users password in clear text to load the login page with
HTTPS or is there some other way? Does this mean that forms
authentication is not more secure than Basic authentication done by
IIS?

 

[Joe Kaplan]

Yes. You should never use a forms-based authentication scheme without HTTPS
IMO because even if the password is somehow obfuscated, the cookie is
available on subsequent requests via the same mechanism and the cookie
allows a snooper to impersonate the user in the application as easily as the
password does.

NTLM auth is notoriously easy to crack these days, so using it without HTTPS
is potentially asking for trouble. Kerberos auth is much more secure, but
in general, it is good to use HTTPS with any web application that requires
authentication and has important security requirements.

Joe K.

 

[Dominick Baier]

as soon as you are dealing with sensitive data AND/OR authentication you
need SSL. period.

 

[mail747097]

as soon as you are dealing with sensitive data AND/OR authentication you
need SSL. period.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)






- Visa citerad text -

Thanks for the answers. It is an intranet application and not an
internet application. That is why I feel that absolute security is not
a requirement although it would be nice not to have passwords
transmitted in clear text. I consider my question answered and HTTPS
is the only way.