From what I understand AuthCookie, that is created by FormsAuthentication, takes care of encrypting (am I right?) and creating the Auth Token. Once created, the token/authCookie is passed on every client <-> server communiqué
From what I understand to keep the token from being highjacked, we need to put the site under SSL (HTTPS)
Quesetion #1: will AJAX calls compromise the security of our site? will they even work under HTTPS.
Question #2: We use IIS7.5 and some of our pages don't require a secure login; but given the AuthCookie, I guess it's best to put everything under HTTPS. will there be a noticeable performance drawback with this approach? what are some of the other disadvantages?
cheers
Your understanding is correct. ASP.NET manages the encryption of your FormsAuthentication token, which is the value of your auth cookie and this prevents tampering, but if sent over the wire via HTTP it is suceptible to third-party theft leading to session hijacking.
To your specific questions:
No, AJAX calls should not compromise the security of your site, specifically because they should indeed work over HTTPS.
Yes. You should run everything under HTTPS when you have a website that requires authentication. With relatively modern computers, the performance impact of running under HTTPS should be minimal. It's always valuable to test given your specific scenario, of course, but as a rule, the impact is a single digit percentage or less, and is not what one would generally consider to be noticeable.