Reputation: 83
securing ASP.NET forms authentication token on client side?
In my website, I am not using any authentication or authorization. I've created login page to capture the user credentials and check against database. If the user successfully authenticates, it's storing the user data in session and navigating to other pages.
How thinking of implementing Forms Authentication, but my concern is how to secure the authentication token in client browser for security reasons. Does anyone have any ideas how to secure the authentication token?
Upvotes: 3
Views: 2561
Answers (1)
Reputation: 21117
Session:
Fast, Scalable, and Secure Session State Management for Your Web Applications
Authentication:
How To: Protect Forms Authentication in ASP.NET 2.0
Step 1. Configure
Ensure that your forms authentication tickets are encrypted and integrity checked by setting protection="All" on the element. This is the default setting and you can view this in the Machine.config.comments file.
<forms protection="All" ... />
Step 2. Use SHA1 for HMAC Generation and AES for Encryption
<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
decryption="Auto"
validation="SHA1" />
Step 3. Protect Authentication Tickets with SSL
<forms loginUrl="Secure\Login.aspx"
requireSSL="true" ... />
Upvotes: 3
Related Questions
- Token Based Authentication MVC 5
- Forms authentication to create bearer tokens for Web API?
- ASP.Net - Generating Secure Tokens
- form Authentication
- How to secure .ASPXAUTH token
- Asp .net Forms Authentication token using pure javascript
- Forms authentication Of Asp.net
- Authorization security of ASP.NET Forms authentication
- ASP.Net - Forms Authentication setup for specific Security concerns
- ASP.Net: Authentication via Browser's Login Window