securitycookiesasp.net-membershiprequiressl

Why is the default for FormsAuthentication's requireSSL property false!


Note: This is NOT an ASP.NET MVC question related to the [RequireSSL] attribute. Thats completely different - just has the same name.


ASP.NET Forms authentication has the RequireSSL property which requires that the auth cookie for ASP.NET membership is only ever sent over SSL. This is to prevent someone from stealing the cookie (such as by network sniffing) and impersonating the user.

So I'm wondering - with all the security conscious changes MS have made (such as making httpOnly cookies default) why is requireSSL not defaulted to true ?

Is cookie sniffing considered a 'neglibigle' security risk?

Is it considered an acceptable risk to leave it false unless the connection actually allows me to access secure/personal data? If it isnt acceptable - how am I supposed to return a user to http and still know who they are?

To prevent forms authentication cookies from being captured and tampered with while crossing the network, ensure that you use SSL with all pages that require authenticated access and restrict forms authentication tickets to SSL channels by setting requireSSL="true" on the element.

To restrict forms authentication cookies to SSL channels

Set requireSSL="true" on the element, as shown in the following code.

By setting requireSSL="true", you set the secure cookie property that determines whether browsers should send the cookie back to the server. With the secure property set, the cookie is sent by the browser only to a secure page that is requested using an HTTPS URL.

Note: If you are using cookieless sessions, you must ensure that the authentication ticket is never transmitted across an unsecured channel.


Solution

  • Because you require an SSL certificate if you turn that on, and those usually cost money to acquire. You can also use browser sessions to control non-secure information - and in some public websites that may be exactly all you want to do. In that case nothing sensitive is revealed by someone stealing another person's session cookie - so why go to the cost and bother of buying and installing an SSL certificate?