By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,955 Members | 1,793 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,955 IT Pros & Developers. It's quick & easy.

When to use FormsAuthenticate.Encrypte/Decrypt methods?

P: n/a
CW
I am really confused as to how secure FormsAuthentication really is, and I'd
appreciate if someone could shed light on it. I find information at MSDN
incomplete at best and self-contradictory other times.

I use SSL when retrieving username and password from web client. I then
validate them against user credential stored on a SQL Server. Because I set
Protection="All" in the Forms tag, I understand that the authentication
cookie would be encrypted and validated when sent from server to the web
client and vice versa. (Indeed, I can verify that it is encrypted by looking
at the cookie file on my local computer).

If that's the case, what is the use for Encrypt/Decrypt pair of methods?

Am I supposed to use
FormsAuthentication.RedirectFromLoginPage(FormsAut hentication.Encrypt((New
FormsAuthenticationTicket(1, loginId, DateTime.Now,
DateTime.Now.AddMinutes(20), False, ""))), False)

, rather than
FormsAuthentication.RedirectFromLoginPage(loginId, False) ?

If I use the former, as far as I can see, I simply encrypted the cookie a
second time (unnecessarily, I might add).

One MSDN article claimed that so long Authentication Ticket is encrypted
(and the logon credential is initially sent through SSL), then it is secure.
However, another article said that unless the entire site runs on SSL where
authentication cookies are passed between server and web clients, then one
is always subject to spoofing attacks where the authentication cookies could
be picked up and later reused by someone deploying a packet sniffer.

Can someone please clear up air on this issue?

Thanks

Nov 18 '05 #1
Share this question for a faster answer!
Share on Google+

This discussion thread is closed

Replies have been disabled for this discussion.