What are the security risks of using forms authentication?

Question

Experts,

We want a more secure login system for our future projects, rather than using session states to tell if the user is logged in or not. If my understanding is correct, once a user is authenticated via forms authentication, a cookie is generated on the users machine. How secure is that? Is the cookie susceptible to a form of hijacking similar to session hijacking? What if the user doesn't accept cookies? Is there a better method I should take a look at?

Thanks in advance.

Answer 1

The short answer is it's as safe as you make it. Most form based authentication systems use cookies to maintain a session with the end-users, but you could use other techniques if you choose to do so.

For cookie based authentication you need to create some kind of token that identifies the authenticated user. This token needs to be something that cannot be easily guessed. This token can be passed in a cookie or stored in a session, in which case a session cookie is stored on the clients machine and the authentication token is access only on the server-side of the connection. If you don't want the cookie to be captured by an ease-dropper then you can make the cookie Secure and HttpOnly, the former only gets sent over HTTPS, and the latter makes the cookie inaccessible from JavaScript.

If the end-user does not accept cookies then the session id is usually put in the URL which is not safe.

Take a look at this link Session Fixation

Answer 2

user's session ID is not used as part of the authentication cookie - the authentication cookie, and the session cookie are separate.

To prevent session hijacking read this post Foiling Sessiong Hijacking Attempts

To provide secure connection, you would have to use Https