Does forms authentication need SSL?

I am a developer working on an ASP.Net Web Application that uses forms authentication. In my experience I have always worked in an environment where we use SSL to protect the 开发者_高级运维web pages according to permissions. In my new company my manager has asked me whether we need SSL and can we do without it. We are using a private network for the application and do not anticipate any heavy duty hackers. However it is useful that permissions protect webpages from unauthorised users.

So what is the best way of tackling this?

That depends on your security needs :-).

If you trust everyone who has access to the network (this includes people like cleaning staff and external contractors) not to install sniffing software and do bad things with the passwords and personal data they sniffed, then you can do without TLS. Otherwise you need it. That's up to your manager to decide.

If it's a private network (i.e. Intranet and everyone is 'trusted') then like @sleske mentions you don't have to use SSL for anything.

That being said my question is what is the manager's reasoning for not using SSL where it makes sense? If it's cost then you could have your own (company) CA rather than using a commercial CA. Most places I've worked have setup a CA on one of their server's (which may or may not be trusted by VeriSign or one of the other commonly used CA's) and that was used to issue certificates to internal web servers. All computers on the Domain were setup to trust the company's internal CA.

As far as SSL/permission protection of your pages/content: SSL protection is a separate topic from 'permission' protecting your pages. SSL is just encrypting the http traffic from the client (browser) and the server. Protecting your pages is up to you using permissions and checking that the user is authenticated, the mechanisms for this don't change based upon (not) using SSL.