Forms Authentication Cookie - Why SSL?

Question

Forms Authentication Cookie - Why SSL?

I see a guide when using formsAuthentication in ASP.NET to use SSL via the requireSSL property.

I was under the impression that the content of the cookie is encrypted. So I am trying to understand why SSL is required?

0

security asp.net

AJM May 25 '09 @ 9:47 am

a source to share

2 answers

I have the same exact question!

I am slightly satisfied with @blowdart's answer for sites lacking sensitive information when you logged in. You should definitely register with SSL - but also if someone gains access to your cookie, they can impersonate you before it expires.

http://msdn.microsoft.com/en-us/library/ms998310.aspx

To prevent blocking cookies for forms, spoofing when crossing the network, make sure you are using SSL with all pages requiring access authentication and form restriction authentication tickets on SSL channels by setting requireSSL = "true" on the element.

To prevent the use of cookies for authentication on SSL channels

Set requireSSL = "true" on the element, as shown in the following code.

By setting requireSSL = "true", you set a secure cookie property that determines whether browsers should send the cookie back to the server. With a secure set of properties, the cookie is sent by the browser only to the secure page requested using an HTTPS URL.

Note. If you are using cookieless sessions, you must ensure that the authentication ticket is never sent over an unsecured channel.

0

Simon_Weaver 06 nov. '09 at 4:41

a source to share

blowdart · Accepted Answer · 2009-05-25T09:49:43+0000

It's not a cookie that's the problem, it is sending the username and password. Using SSL will stop intercepting the transaction (and provides some degree of confidence if users ever try to verify the grin of the certificate)

Forms Authentication Cookie - Why SSL?

More articles: