Re: Are AuthTickets Secure?
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 23 Aug 2006 16:26:22 -0500
You are right. The cookie is vulnerable to theft if the channel is not
encypted. Use SSL for all serious secure sites.
In my opinion, the encryption of the cookie primarily serves to make it
opaque to the end user.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dima Maltsev" <Dima Maltsev@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6C6E9081-85B5-4B40-8891-29EBC2FF626E@xxxxxxxxxxxxxxxx
HI All,
I've a question about AuthTickets.
Microsoft recommends using either SSL for all pages or Envcryption to
protect the AuthTicket. Here is the quote from the
http://support.microsoft.com/kb/813829/ page:
"How to Help Make Forms Authentication Secure
. Use SSL for all pages.
. Use the Encrypt method of the FormsAuthentication class."
While I understand why SSL would protect the ticket, I have the following
concern regarding the second (Encryption) option.
If a user after logging in clicks on a page which is being served over
HTTP,
the AuthTicket is still being sent back to a browser in a cookie. Such
requests (for non secure (HTTP) pages) can be intercepted by "a man in the
middle". Even though the AuthTicket is encrypted, it can be used as is by
a
hacker to hijack the user's session.
Am I missing something? Can anybody comment on this?
Thanks,
Dima Maltsev
.
- Prev by Date: How to convert string to SecureString?
- Next by Date: Re: How to convert string to SecureString?
- Previous by thread: How to convert string to SecureString?
- Next by thread: Re: Are AuthTickets Secure?
- Index(es):
Relevant Pages
|
|
