Ask a Question related to ASP.NET Security, Design and Development.
-
Rob Millman #1
guidance using Forms authentication
There is lots of discussion of security issues and authentication techniques,
pros/cons of different technologies and patterns, etc.
I'm looking for "Best Guidance" for a web site that will be available to the
public, with a login using username/password. FormsAuthentication seems like
a straight forward solution. However, most discussions urge SSL for the
login form. What about sending the authentication cookie back and forth with
every request? Is this vulnerable to replay attacks? Even using passport,
if someone sniffs the line and catches the cookie, can't it be used to
impersonate that specific logged in user? Isn't the ASP.NET session cookie
also vulnerable to this type of problem?
What am I missing? or should all traffic go SSL to avoid all of this?
Any guidance is much appreciated.
Robert Millman
Rob Millman Guest
-
Accessing htm files without authentication (forms authentication)
I have application with forms authentication. All works fine. When user opens .aspx file gets login form, login and then get the .aspx page. But... -
ASP.Net Forms authentication with basic authentication popup
Relatively new to ASP.Net but have a strange problem. My site uses forms authentication for a large administration section however after the user... -
Forms authentication then redirection to a secure web with NT authentication?
Hi, I want to allow access to particular secured intranet web sites. These intranet are stored in sharepoint (2003 version) Actually I've... -
Authentication ticket, cookieless, forms authentication?
Hi. I want to use Forms Authentication, cookieless. The issue is setting the Authentication Ticket without using cookies (!) That is, the... -
Forms authentication with Windows authentication
Hi, I have an ASP.NET web site that uses IIS Basic Authentication and accesses an OLAP Server at various stages. The OLAP Server authentication... -
Joe Kaplan \(MVP - ADSI\) #2 Re: guidance using Forms authentication
SSL is important for the password page because you want to make sure the
user's password isn't sent over the wire in clear text.
It is definitely possible for the session cookie or auth cookie to get
stolen and allow the user to be hijacked. This is one good reason to use
SSL for everything if you can afford the loss of scalability. There was
also a good article in MSDN Magazine by Jeff Prosise recently discussing
session hijacking and things you could do to prevent it:
[url]http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/[/url]
In the end, it will come down to how critical your security needs are, but
it is definitely a good idea to understand your risks as well as possible
and that article will certainly help.
Joe K.
"Rob Millman" <RobMillman@discussions.microsoft.com> wrote in message
news:E7D60926-0AB6-4A17-836B-C7025BF1BA1C@microsoft.com...> There is lots of discussion of security issues and authentication
> techniques,
> pros/cons of different technologies and patterns, etc.
>
> I'm looking for "Best Guidance" for a web site that will be available to
> the
> public, with a login using username/password. FormsAuthentication seems
> like
> a straight forward solution. However, most discussions urge SSL for the
> login form. What about sending the authentication cookie back and forth
> with
> every request? Is this vulnerable to replay attacks? Even using
> passport,
> if someone sniffs the line and catches the cookie, can't it be used to
> impersonate that specific logged in user? Isn't the ASP.NET session
> cookie
> also vulnerable to this type of problem?
>
> What am I missing? or should all traffic go SSL to avoid all of this?
>
> Any guidance is much appreciated.
>
> Robert Millman
Joe Kaplan \(MVP - ADSI\) Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
