Note: This is NOT an ASP.NET MVC question related to the [RequireSSL] attribute. Thats completely different - just has the same name.
ASP.NET Forms authentication has the RequireSSL property which requires that the auth cookie for ASP.NET membership is only ever sent over SSL. This is to prevent someone from stealing the cookie (such as by network sniffing) and impersonating the user.
So I'm wondering - with all the security conscious changes MS have made (such as making httpOnly cookies default) why is requireSSL not defaulted to true ?
Is cookie sniffing considered a 'neglibigle' security risk?
Is it considered an acceptable risk to leave it false unless the connection actually allows me to access secure/personal data? If it isnt acceptable - how am I supposed to return a user to http and still know who they are?
To prevent forms authentication cookies from being captured and tampered with while crossing the network, ensure that you use SSL with all pages that require authenticated access and restrict forms authentication tickets to SSL channels by setting requireSSL="true" on the element.
To restrict forms authentication cookies to SSL channels
Set requireSSL="true" on the element, as shown in the following code.
By setting requireSSL="true", you set the secure cookie property that determines whether browsers should send the cookie back to the server. With the secure property set, the cookie is sent by the browser only to a secure page that is requested using an HTTPS URL.
Note: If you are using cookieless sessions, you must ensure that the authentication ticket is never transmitted across an unsecured channel.