ASP.NET SSL Authentication Ticket Security?
I intend to use SSL on the login form so that the username and password is encrypted during user login.
But, after the user has been authenticated, if I return to HTTP, the Autentication Cookie will be passed from client开发者_如何学Go to server on each request. How safe is this? Obviously i'll use SSL on pages where the user is entering sensitive information, but for most of the time, for performance reasons, i'll just want them to remain authenticated and use HTTP.
I note that if I set RequiresSSL="True" in my forms authentication section in web.config then the authentication cookie is not passed if I use HTTP so I cannot identify the current user.
I guess my question is:
"Is it bad practice to set RequiresSSL="false" and allow the Authentication cookie to pass over HTTP"?
The forms authentication cookie is encrypted and checksumed with the machine key for your server if you set protection="All"
, so it's not particularly bad to drop back to HTTP.
精彩评论