Reputation: 8405
when to enable forms authentication sliding expiration
I've read in MSDN that when SSL is not activated for your website , set slidingExpiration as false. this is to limit the time that a hijacker could use the stolen authcookie .
but this makes no sense . when there is no SSL then the hacker could take the credentials itself and use them . why should he/she steal the cookie when he/she has access to username/password ?
I want to say that slidingExpiration has no relation to enabledSSL .
Upvotes: 0
Views: 467
Answers (1)
Reputation: 1038710
why should he/she steal the cookie when he/she has access to username/password ?
What makes you think that he has access to the username/password? Only the username is present inside the encrypted forms authentication cookie. So what he steals is the cookie, not the username or password. He cannot decrypt it (unless he uses brute force) so he cannot fetch the original username nor he can change this username. Since the password is not even present in this cookie he cannot have the password. So if this cookie has sliding expiration activated he could use it as long as it is valid.
But in general if you care about security you should always use SSL.
Upvotes: 1
Related Questions
- Concerning the sliding expiration of ASP.NET's forms authentication and session
- Preventing FormsAuthentication expiry time from increasing
- Is there an event raised when forms authentication expires?
- Forms authentication - sliding expiration
- Determine when an ASP.NET Forms Authentication will expire
- Forms Authentication Cookie Expiration
- ASP.NET Authentication sliding expiry time on custom ticket
- Disadvantages associated with use Forms Authentication "slidingExpiration"
- ASP.NET Forms Authentication Expiry
- formsauthentication.setauthcookie default expiration?