I am really confused as to how secure FormsAuthentication really is, and I'd
appreciate if someone could shed light on it. I find information at MSDN
incomplete at best and self-contradictory other times.
I use SSL when retrieving username and password from web client. I then
validate them against user credential stored on a SQL Server. Because I set
Protection="All" in the Forms tag, I understand that the authentication
cookie would be encrypted and validated when sent from server to the web
client and vice versa. (Indeed, I can verify that it is encrypted by looking
at the cookie file on my local computer).
If that's the case, what is the use for Encrypt/Decrypt pair of methods?
Am I supposed to use
FormsAuthentication.RedirectFromLoginPage(FormsAut hentication.Encrypt((New
FormsAuthenticationTicket(1, loginId, DateTime.Now,
DateTime.Now.AddMinutes(20), False, ""))), False)
, rather than
FormsAuthentication.RedirectFromLoginPage(loginId, False) ?
If I use the former, as far as I can see, I simply encrypted the cookie a
second time (unnecessarily, I might add).
One MSDN article claimed that so long Authentication Ticket is encrypted
(and the logon credential is initially sent through SSL), then it is secure.
However, another article said that unless the entire site runs on SSL where
authentication cookies are passed between server and web clients, then one
is always subject to spoofing attacks where the authentication cookies could
be picked up and later reused by someone deploying a packet sniffer.
Can someone please clear up air on this issue?
Thanks
