Is ASP.NET Membership protected from Firesheep?

I have the impression that ASP.NET Membership encrypt开发者_如何学编程s its cookie by default.

Is it relatively safe to assume that ASP.NET Membership protects against session hijacking (ala Firesheep)?

ASP.NET membership uses the exact same mechanism as any other site and is absolutely vulnerable to Firesheep attack. The cookie itself cannot be encrypted in a way that keeps it from being hijacked. All communication with the server must be encrypted to protect from session hijacking, using SSL or WEP wireless encryption.

The cookie is encrypted, but that doesn't stop someone who obtains the cookie itself from acting as you.

Only if the entire session is on HTTPS.

Firesheep doesn't care about the contents of the cookie; all it needs to do is duplicate the cookie in the attacker's browser.

As long as the cookie is sent in clear text (as opposed to HTTPS or WPA), you're still vulnerable.