Authentication cookie security

[Kirsten]

I'm using Form authentication with Cookies and I'm reading about replay
attacks.
Is there any way besides using SSL to protect the cookie?

Comparing other systems: how does Hotmail handle this feature? For example,
I login using SSL to read my mail but then Hotmails switches to HTTP. So,
anyone can take my cookie and read my mail?

Thanks a lot.

 

[Cowboy \(Gregory A. Beamer\)]

A good read to start with is Foundstone's ASP.NET Autentication white paper:
http://bit.ly/10o9xL

It has many techniques to reduce your exposure. In general, if you are using
SSL for the cookie, it will always be passed back SSL. This is done in web
config by setting the requireSSL to true. You should also consider setting
protection to ALL so the actual data is protected. With the two, you have
greatly reduced the footprint. It is also useful to avoid any user data on
the client side, which can be done quite easily by using the Membership bits
(even if yours are customized).

The Foundstone white paper has suggestions on pages 9-10 to help you make
things more secure. Using their guidelines, you should make your footprint
small enough to avoid casual hacker, and even most routine hackers.
Depending on your site, this is probably enough.

Further security? An IP address added to the session check makes an even
smaller vector. As IPs can be spoofed, as well, it only reduces the vector.
But making the target smaller certainly makes it harder to hit and requires
the hacker have more experience.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

Twitter: @gbworld
Blog: http://gregorybeamer.spaces.live.com

********************************************************
| Think outside the box! |
********************************************************