SSL How-TO

D

Dominick Baier [DevelopMentor]

Hello dl,

i guess you are using FormsAuth - so authentication is based on a cookie.
This cookie has to be transmitted to every pages that requires authentication.

This would mean that you secure the login page, but all remaining pages will
receive the cookie in clear text. If someone can steal/sniff that cookie
he can hijack the authenticated users identity.

or short - No.
 
G

Guest

I thought the content of the authentication cookie is an encrypted session
ticket, with no username / password information, isn't it?
 
J

Joe Kaplan \(MVP - ADSI\)

Yes, but if they sniff the cookie they can still replay it and assume your
identity on the website. You generally want to be careful about passing
around forms auth cookies on an unencrypted channel.

Joe K.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SSL from squarespace to my EC2 0
Why getting 404 errors? 8
Trouble connecting with ftp... tls error 1
How to fix ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:2570) 0
Demonstration of a Self-Written HTTP Server for an Online Store 0
SSL enabled ASP.NET application 6
How does one install Python 3.7 in HPC without root access on Linux? 1
How to get Python make to detect /usr/local/ssl 0

Members online

Total: 55 (members: 3, guests: 52)
Robots: 108

Forum statistics

Threads
474,266
Messages
2,571,089
Members
48,773
Latest member
Kaybee

Latest Threads

Top