Ah great! Thanks! That would solve my problem indeed... I'll test it to see the browser's reaction to variation in protocol, with that property set.
Thanks again! Dave. -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Efran Cobisi Sent: April 3, 2007 4:09 AM To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: Re: [ADVANCED-DOTNET] HTTPS + HTTP Mixture in a web application Hi Dave, Even if a "talented hacker" could always find a way to hijack your cookies (but this is another story...), you could at least mark your cookies as secure, thus not allowing them to be sent over protocols different from https. FormsAuthentication provides an easy way to mark authentication cookies as secure: just set the requireSSL attribute of the /configuration/system.web/authentication/forms element to true and you'll obtain the aforementioned effect, which I hope would solve your problem. HTH, Efran Cobisi http://www.cobisi.com Dave wrote: > Hi, > I got a pretty tough question here (at least tough to me) > > My web application uses a mixture of http- and https-served pages. The user > can log securely with https, and view her "profile" within a secured page as > well. Here's my problem: as you know, forms authentication sets a cookie on > the client to "remember" who the user is. However, being logged-in (with the > cookie still alive), the user can browse to any of the http pages within the > application, for example the home page. Doing so, the request for > http://www.omniscienttrader.com/default.aspx will send, along with the > request, my authentication cookie, **all that in plain, clear http** > > Could a talented hacker hijack the cookie during that request, and then > access the https pages, thus steeling the identity of my poor user? I think > so... With that in mind, is that a bad design to allow switching from http > to https and vice-versa inside a single web application?? > > Thank you very much!! > > David. > > > > David Lacerte > > Chief Knowledge Officer > > Omniscient Technology Inc > > > > > =================================== > This list is hosted by DevelopMentorR http://www.develop.com > > View archives and manage your subscription(s) at http://discuss.develop.com > =================================== This list is hosted by DevelopMentorR http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
