I see the guidance when using formsAuthentication in ASP.NET is to use SSL via the requireSSL property.
I was under the impression that the contents of the cookie are encrypted. So I'm trying to grasp why SSL is required as well?
A:
It's not the cookie that's the problem, it's sending the username and password. Using SSL will stop that transaction being intercepted (and provides some measure of reassurance if users would ever bother checking the certificate grin)
blowdart
2009-05-25 09:49:43
@blowdart - can you respond to my 'answer' below. thanks!
Simon_Weaver
2009-11-06 04:42:04
A:
I have the same exact question!
I'm somewhat satisfied with @blowdart's answer for sites where there isn't sensitive information visible when you're logged in. Absolutely definitely you should be logging in over SSL - but also if someone gets access to your cookie they can impersonate you until it expires.
http://msdn.microsoft.com/en-us/library/ms998310.aspx
To prevent forms authentication cookies from being captured and tampered with while crossing the network, ensure that you use SSL with all pages that require authenticated access and restrict forms authentication tickets to SSL channels by setting requireSSL="true" on the element.
To restrict forms authentication cookies to SSL channels
Set requireSSL="true" on the element, as shown in the following code.
By setting requireSSL="true", you set the secure cookie property that determines whether browsers should send the cookie back to the server. With the secure property set, the cookie is sent by the browser only to a secure page that is requested using an HTTPS URL.
Note: If you are using cookieless sessions, you must ensure that the authentication ticket is never transmitted across an unsecured channel.
Simon_Weaver
2009-11-06 04:41:37