guidance using Forms authentication

[Rob Millman]

There is lots of discussion of security issues and authentication techniques,
pros/cons of different technologies and patterns, etc.

I'm looking for "Best Guidance" for a web site that will be available to the
public, with a login using username/password. FormsAuthentication seems like
a straight forward solution. However, most discussions urge SSL for the
login form. What about sending the authentication cookie back and forth with
every request? Is this vulnerable to replay attacks? Even using passport,
if someone sniffs the line and catches the cookie, can't it be used to
impersonate that specific logged in user? Isn't the ASP.NET session cookie
also vulnerable to this type of problem?

What am I missing? or should all traffic go SSL to avoid all of this?

Any guidance is much appreciated.

Robert Millman

 

[Joe Kaplan \(MVP - ADSI\)]

SSL is important for the password page because you want to make sure the
user's password isn't sent over the wire in clear text.

It is definitely possible for the session cookie or auth cookie to get
stolen and allow the user to be hijacked. This is one good reason to use
SSL for everything if you can afford the loss of scalability. There was
also a good article in MSDN Magazine by Jeff Prosise recently discussing
session hijacking and things you could do to prevent it:

http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/

In the end, it will come down to how critical your security needs are, but
it is definitely a good idea to understand your risks as well as possible
and that article will certainly help.

Joe K.