Re: SSL How-TO
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 06/21/05
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Receiving a strong name error when trying to access a library"
- Previous message: dl: "Re: SSL How-TO"
- In reply to: dl: "Re: SSL How-TO"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 21 Jun 2005 11:19:23 -0500
Yes, but if they sniff the cookie they can still replay it and assume your
identity on the website. You generally want to be careful about passing
around forms auth cookies on an unencrypted channel.
Joe K.
<dl> wrote in message news:ex4li0mdFHA.3712@TK2MSFTNGP09.phx.gbl...
>I thought the content of the authentication cookie is an encrypted session
> ticket, with no username / password information, isn't it?
>
> "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
> wrote in message news:501385632549583320741864@news.microsoft.com...
>> Hello dl,
>>
>> i guess you are using FormsAuth - so authentication is based on a cookie.
>> This cookie has to be transmitted to every pages that requires
> authentication.
>>
>> This would mean that you secure the login page, but all remaining pages
> will
>> receive the cookie in clear text. If someone can steal/sniff that cookie
>> he can hijack the authenticated users identity.
>>
>> or short - No.
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>
>> > Hi
>> > Can we set SSL enable only for the login page, in an ASP.NET
>> > application
>> > TIA
>>
>>
>>
>
>
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Receiving a strong name error when trying to access a library"
- Previous message: dl: "Re: SSL How-TO"
- In reply to: dl: "Re: SSL How-TO"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
