Re: Question about cookie protection and FormsAuthentication.Encrypt
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 22 Feb 2007 08:17:50 +0000 (UTC)
You only need to call Encrypt if you are manually creating the FormsAuthenticationTicket and adding it to the cookies collection.
If you are using FormsAuthentication.SetAuthCookie or RedirectFromLoginPage this is done automatically for you (according to config settings).
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
I'm a little unclear on when exactly I would need to use
FormsAuthentication.Encrypt. If I have the cookie protection in the
web.config set to All (i.e. <forms loginUrl="login.aspx"
protection="All">), shouldn't my cookie already be encrypted and
tamper-proof even if I don't encrypt the authentication ticket using
FormsAuthentication.Encrypt? What do I gain by also using
FormsAuthentication.Encrypt in addition to the the web.config setting?
Or is this more of a double-check than anything else?
.
- Prev by Date: Re: WindowsTokenRoleProvider & Domain Groups
- Next by Date: Re: Getting GROUPS from Active Directory by inputing an AD username
- Previous by thread: RE: How to start/stop windows service on a remote machine?
- Next by thread: Re: Question about cookie protection and FormsAuthentication.Encry
- Index(es):
Relevant Pages
|
