Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

INFO: Help Secure Forms Authentication by Using Secure Sockets Layer (SSL)


View products that this article applies to.

Summary

By default, the cookie that contains the forms authentication ticket is not secured when you use forms authentication in a Microsoft ASP.NET Web application. This article describes how to help secure forms authentication by using Secure Sockets Layer (SSL). This article also describes additional implementation options and alternative ways to help secure forms authentication.

↑ Back to the top


More information

Forms-based authentication is an ASP.NET authentication service that enables applications to provide their own logon interface and to perform custom credential verification. With forms authentication, ASP.NET authenticates the users and then redirects unauthenticated users to the logon page that is specified by the loginUrl attribute of the <forms> element in the Web.config file. When you provide credentials through the logon form, the application authenticates the request, and then the system issues a FormsAuthenticationTicket class in the form of a cookie. The FormsAuthenticationTicket class is passed as a cookie in response to subsequent Web requests from the authenticated client.

Although forms authentication provides a flexible means of authentication, you must carefully consider some important issues when you help secure an ASP.NET application. You must help protect the initial logon credentials by using SSL because the credentials are sent to the server as plaintext. You must also make sure that you help protect the cookie that contains the forms authentication ticket. To do this, use SSL on all the pages to help protect the ticket. Alternatively, you can encrypt the forms authentication ticket by setting the protection attribute of the <forms> element to All or to Encrypt in the Web.config file, and use the Encrypt method of the FormsAuthentication class to encrypt the ticket. For more information about the Encrypt method of the FormsAuthentication class, see the "" section of this article.

Advantages of Forms Authentication

  • Forms authentication supports authentication against a custom data store, such as a Microsoft SQL Server database or Active Directory directory services. For more information, see the "REFERENCES" section of this article.
  • Forms authentication supports role-based authorization with role lookup from a data store.
  • Forms authentication is smoothly integrated with the Web user interface. For more information, see the "REFERENCES" section of this article.
  • ASP.NET provides much of the infrastructure. Relatively little code is required in comparison to Microsoft Active Server Pages versions 3.0 and earlier..
  • ASP.NET forms authentication does not require Microsoft Internet Explorer. Forms authentication supports a wide range of Web browser clients.

How to Help Make Forms Authentication Secure

  • Use SSL for all pages.
  • Use the Encrypt method of the FormsAuthentication class.

Use SSL for All Pages

Help make to sure that the authentication cookie remains secure throughout a client browser session by using SSL encryption to help secure secure access to all pages. By using SSL encryption on the application, you help prevent anyone from compromising the authentication cookie and from transmitting other valuable information.

Set the value of the requireSSL property to true in the Web.config file. This puts SSL in place when the cookie is sent back to the browser. If you do not set the value of requireSSL to true, the form throws an exception or does not authenticate with the cookie.

When requireSSL is set to true, the encrypted connection helps protect the credentials of the user, and ASP.NET sets the HttpCookie.Secure property for the authentication cookie. The compliant browser does not return the cookie unless the connection uses SSL. The following example shows how to do this in the Web.config file for your application:
 <configuration>
 <system.web>
   <authentication mode="Forms">
     <forms name=".ASPXAUTH"
       loginUrl="login.aspx" 
       protection="All"
       timeout="20"
       requireSSL="true">
     </forms>
   </authentication > 
   <authorization>
     <deny users="?" />
   </authorization>
 </system.web>
</configuration>
The following example takes action if the cookie is set to transmit securely:

Visual C# .NET Code
 string cookieName = FormsAuthentication.FormsCookieName.ToString(); 
 HttpCookie MyCookie = Context.Request.Cookies[cookieName];

 if (MyCookie.Secure)
 {
      Response.Write("The cookie is secure with SSL.");
      // Add other required code here.
 } 

Visual Basic .NET Code
   Dim cookieName As String = FormsAuthentication.FormsCookieName.ToString
   Dim MyCookie As HttpCookie = Context.Request.Cookies(cookieName)
   If MyCookie.Secure Then
      Response.Write("The cookie is secure with SSL.")
      ' Add other required code here.
   End If

Use the Encrypt Method of the FormsAuthentication Class

If you only use SSL on the initial logon Web page to encrypt the credentials that are passed for authentication, make sure that the forms authentication ticket that is contained in a cookie is protected. The forms authentication tickets must be protected because the cookie is passed between the client and the server on each subsequent Web request. To encrypt the forms authentication ticket, configure the protection attribute of the <forms> element, and use the Encrypt method of the FormsAuthentication class to encrypt the ticket.
<authentication mode="Forms">
  <forms name="MyAppFormsAuth"
       loginUrl="login.aspx"
       protection="All"
       timeout="20" 
       path="/" >
  </forms>
</authentication> 
Because the protection attribute is set to All, when the application calls the FormsAuthentication.Encrypt method, the ticket must be validated and be encrypted.

Call the Encrypt method when you create the forms authentication ticket. You typically create the ticket in the Login event handler of the application.

Visual C# .NET Code
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
Visual Basic .NET Code
Dim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)

↑ Back to the top


References

For information about ASP.NET and forms authentication, visit the following Microsoft Web sites:
Authentication in ASP.NET: .NET Security Guidance
http://msdn2.microsoft.com/en-us/library/ms978378.aspx
For additional information about using SSL to secure forms authentication, click the following article numbers to view the articles in the Microsoft Knowledge Base:
306590 INFO: ASP.NET Security Overview
315588 HOW TO: Secure an ASP.NET Application Using Client-Side Certificates
313116 PRB: Forms Authentication Requests Are Not Directed to loginUrl Page
324069 HOW TO: Set Up an HTTPS Service in IIS
326340 AD - HOW TO: Authenticate against the Active Directory by Using Forms Authentication and Visual Basic .NET
301240 SQL - HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by Using C# .NET
308157 SQL - HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by Using Visual Basic .NET
311495 HOW TO: Implement Role-Based Security with Forms-Based Authentication in Your ASP.NET Application by Using Visual C# .NET
306238 HOW TO: Implement Role-Based Security with Forms-Based Authentication in Your ASP.NET Application by Using Visual Basic .NET
312906 HOW TO: Create Keys by Using Visual C# .NET for Use in Forms Authentication
313091 HOW TO: Create Keys by Using Visual Basic .NET for Use in Forms Authentication

↑ Back to the top


Keywords: KB813829, kbinfo, kbconfig, kbsecurity, kbauthentication, kbwebforms, kbcookie

↑ Back to the top

Article Info
Article ID : 813829
Revision : 7
Created on : 4/19/2007
Published on : 4/19/2007
Exists online : False
Views : 449