views:

166

answers:

1

I intend to use SSL on the login form so that the username and password is encrypted during user login.

But, after the user has been authenticated, if I return to HTTP, the Autentication Cookie will be passed from client to server on each request. How safe is this? Obviously i'll use SSL on pages where the user is entering sensitive information, but for most of the time, for performance reasons, i'll just want them to remain authenticated and use HTTP.

I note that if I set RequiresSSL="True" in my forms authentication section in web.config then the authentication cookie is not passed if I use HTTP so I cannot identify the current user.

I guess my question is:

"Is it bad practice to set RequiresSSL="false" and allow the Authentication cookie to pass over HTTP"?

+1  A: 

The forms authentication cookie is encrypted and checksumed with the machine key for your server if you set protection="All", so it's not particularly bad to drop back to HTTP.

blowdart
Thanks blowdart - yes it is, so I guess if a cross-site scripter hijacked the cookie, at least they couldn't see what's in it. BUT - I'm worried they could send a request with the cookie and pretend to be the authenticated user? The server wouldn't know any difference.
PapillonUK
The cookie is HTTP Only so XSS is mitigated against (except under Safari which doesn't honour that)
blowdart
Ah - Is that so! I never knew that! So only the server can access it. In that case I think its pretty safe. I'll close this tomorrow if no-one tells me any different - thanks blowdart. - safe of course apart from Safari users!
PapillonUK