Hi Dave, Even if a "talented hacker" could always find a way to hijack your cookies (but this is another story...), you could at least mark your cookies as secure, thus not allowing them to be sent over protocols different from https. FormsAuthentication provides an easy way to mark authentication cookies as secure: just set the requireSSL attribute of the /configuration/system.web/authentication/forms element to true and you'll obtain the aforementioned effect, which I hope would solve your problem.
HTH, Efran Cobisi http://www.cobisi.com Dave wrote:
Hi, I got a pretty tough question here (at least tough to me) My web application uses a mixture of http- and https-served pages. The user can log securely with https, and view her "profile" within a secured page as well. Here's my problem: as you know, forms authentication sets a cookie on the client to "remember" who the user is. However, being logged-in (with the cookie still alive), the user can browse to any of the http pages within the application, for example the home page. Doing so, the request for http://www.omniscienttrader.com/default.aspx will send, along with the request, my authentication cookie, **all that in plain, clear http** Could a talented hacker hijack the cookie during that request, and then access the https pages, thus steeling the identity of my poor user? I think so... With that in mind, is that a bad design to allow switching from http to https and vice-versa inside a single web application?? Thank you very much!! David. David Lacerte Chief Knowledge Officer Omniscient Technology Inc =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
=================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
