Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Authentication Cookie subject to spoofing/sniffing attacks?

Reply
Thread Tools

Authentication Cookie subject to spoofing/sniffing attacks?

 
 
CW
Guest
Posts: n/a
 
      05-02-2004
It's recommended that when signing on using FormsAuthentication, one should
do so over a secure (SSL) channel.

If I understand FormsAuthentication mechanism correctly, the Authentication
ticket generated is then appended to every single page requests that need to
be authorized. Thus, if I only use SSL to protect the SignIn page but not
the other pages (which require authorization), Authentication ticket can be
spoofed and hijacked. The only way to ensure against that is to make sure
all pages that require authentication run on SSL - which can be quite a lot
of overhead. What bothers me is that there are a lot of commercial sites
which only use SSL at the login page. (A good example is Hotmail - which
uses SSL to authenticate user and then redirects to non-secure pages - of
course I do know Hotmail uses Passport authentication scheme, but I suspect
it's equally vulnerable to spoofing/sniffing attacks).

Any comments and thoughts?


 
Reply With Quote
 
 
 
 
John Saunders
Guest
Posts: n/a
 
      05-03-2004
"CW" <a> wrote in message news:(E-Mail Removed)...
> It's recommended that when signing on using FormsAuthentication, one

should
> do so over a secure (SSL) channel.
>
> If I understand FormsAuthentication mechanism correctly, the

Authentication
> ticket generated is then appended to every single page requests that need

to
> be authorized. Thus, if I only use SSL to protect the SignIn page but not
> the other pages (which require authorization), Authentication ticket can

be
> spoofed and hijacked.


Maybe Microsoft considered this already?
--
John Saunders
John.Saunders at SurfControl.com



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
Forms Authentication and Authentication Cookie rgouge ASP .Net Security 3 06-20-2005 10:09 PM
No Subject for this subject George MCAD 0 05-20-2005 10:19 AM
Add/Remove Programs Help Kinda Wierd Do Not Ignore Terrable Subject JustIgnore The Subject Oops Whatever Duh Samuel Townsend Computer Support 0 10-13-2004 12:49 AM
authentication cookie vs session cookie Joseph ASP .Net Security 4 08-12-2003 10:57 AM



Advertisments