By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,946 Members | 734 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,946 IT Pros & Developers. It's quick & easy.

Authentication Cookie subject to spoofing/sniffing attacks?

P: n/a
CW
It's recommended that when signing on using FormsAuthentication, one should
do so over a secure (SSL) channel.

If I understand FormsAuthentication mechanism correctly, the Authentication
ticket generated is then appended to every single page requests that need to
be authorized. Thus, if I only use SSL to protect the SignIn page but not
the other pages (which require authorization), Authentication ticket can be
spoofed and hijacked. The only way to ensure against that is to make sure
all pages that require authentication run on SSL - which can be quite a lot
of overhead. What bothers me is that there are a lot of commercial sites
which only use SSL at the login page. (A good example is Hotmail - which
uses SSL to authenticate user and then redirects to non-secure pages - of
course I do know Hotmail uses Passport authentication scheme, but I suspect
it's equally vulnerable to spoofing/sniffing attacks).

Any comments and thoughts?
Nov 18 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
"CW" <a> wrote in message news:uL*************@TK2MSFTNGP09.phx.gbl...
It's recommended that when signing on using FormsAuthentication, one should do so over a secure (SSL) channel.

If I understand FormsAuthentication mechanism correctly, the Authentication ticket generated is then appended to every single page requests that need to be authorized. Thus, if I only use SSL to protect the SignIn page but not
the other pages (which require authorization), Authentication ticket can be spoofed and hijacked.


Maybe Microsoft considered this already?
--
John Saunders
John.Saunders at SurfControl.com

Nov 18 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.