1

From what I understand AuthCookie, that is created by FormsAuthentication, takes care of encrypting (am I right?) and creating the Auth Token. Once created, the token/authCookie is passed on every client <-> server communiqué

From what I understand to keep the token from being highjacked, we need to put the site under SSL (HTTPS)

Quesetion #1: will AJAX calls compromise the security of our site? will they even work under HTTPS.

Question #2: We use IIS7.5 and some of our pages don't require a secure login; but given the AuthCookie, I guess it's best to put everything under HTTPS. will there be a noticeable performance drawback with this approach? what are some of the other disadvantages?

cheers

Improve this question

1 Answer 1

Reset to default
1

Your understanding is correct. ASP.NET manages the encryption of your FormsAuthentication token, which is the value of your auth cookie and this prevents tampering, but if sent over the wire via HTTP it is suceptible to third-party theft leading to session hijacking.

To your specific questions:

  1. No, AJAX calls should not compromise the security of your site, specifically because they should indeed work over HTTPS.

  2. Yes. You should run everything under HTTPS when you have a website that requires authentication. With relatively modern computers, the performance impact of running under HTTPS should be minimal. It's always valuable to test given your specific scenario, of course, but as a rule, the impact is a single digit percentage or less, and is not what one would generally consider to be noticeable.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

So to be clear, FormsAuthentication.SetAuthCookie(username, true); will generate an "Encrypted" authCookie? or do I need to use FormsAuthentication.Encrypt(authTicketVariable); myself to enforce the encryption?.... thanks so much for your clear and precise answer btw!
btw, since we can have client browsers that may not have an enabled cookie, I understand the token can potentially be passed out through the URL?! am I 100% guaranteed that https will keep this token secure? wouldn't a user be able to modify this token to impersonate others?
@DotNet98 Yes, that's correct. SetAuthCookie() calls FormsAuthentication.Encypt(). You don't need to do it. Browsers that have cookie support turned off are nearly non-existent these days, so even though it isn't ideal, it isn't a large threat. HTTPS gives you some protection in this case as well, because the only part of the request that isn't encrypted is the domain. The path and querystring values are in the encrypted tunnel and aren't exposed to potential theft off the wire.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.