Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > guidance using Forms authentication

Reply
Thread Tools

guidance using Forms authentication

 
 
Rob Millman
Guest
Posts: n/a
 
      10-12-2004
There is lots of discussion of security issues and authentication techniques,
pros/cons of different technologies and patterns, etc.

I'm looking for "Best Guidance" for a web site that will be available to the
public, with a login using username/password. FormsAuthentication seems like
a straight forward solution. However, most discussions urge SSL for the
login form. What about sending the authentication cookie back and forth with
every request? Is this vulnerable to replay attacks? Even using passport,
if someone sniffs the line and catches the cookie, can't it be used to
impersonate that specific logged in user? Isn't the ASP.NET session cookie
also vulnerable to this type of problem?

What am I missing? or should all traffic go SSL to avoid all of this?

Any guidance is much appreciated.

Robert Millman
 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      10-12-2004
SSL is important for the password page because you want to make sure the
user's password isn't sent over the wire in clear text.

It is definitely possible for the session cookie or auth cookie to get
stolen and allow the user to be hijacked. This is one good reason to use
SSL for everything if you can afford the loss of scalability. There was
also a good article in MSDN Magazine by Jeff Prosise recently discussing
session hijacking and things you could do to prevent it:

http://msdn.microsoft.com/msdnmag/is...08/WickedCode/

In the end, it will come down to how critical your security needs are, but
it is definitely a good idea to understand your risks as well as possible
and that article will certainly help.

Joe K.

"Rob Millman" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> There is lots of discussion of security issues and authentication
> techniques,
> pros/cons of different technologies and patterns, etc.
>
> I'm looking for "Best Guidance" for a web site that will be available to
> the
> public, with a login using username/password. FormsAuthentication seems
> like
> a straight forward solution. However, most discussions urge SSL for the
> login form. What about sending the authentication cookie back and forth
> with
> every request? Is this vulnerable to replay attacks? Even using
> passport,
> if someone sniffs the line and catches the cookie, can't it be used to
> impersonate that specific logged in user? Isn't the ASP.NET session
> cookie
> also vulnerable to this type of problem?
>
> What am I missing? or should all traffic go SSL to avoid all of this?
>
> Any guidance is much appreciated.
>
> Robert Millman



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best practices for using forms authentication and security in a hosted env (was: Re: Using a Forms authentication in a shared hosting environment) JEFF ASP .Net 1 11-12-2007 07:00 PM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
Guidance on ASP.NET authentication, state management and dynamic h =?Utf-8?B?Z2VvZGV2?= ASP .Net 2 03-30-2005 02:59 PM
SQL integrated authentication when using forms authentication Brett Smith ASP .Net 2 10-26-2004 02:15 PM
Forms Authentication question: How to have some pages open and some requiring forms authentication Eric ASP .Net 2 02-13-2004 02:14 PM



Advertisments