Select the product you need help with

INFO: Help Secure Forms Authentication by Using Secure Sockets Layer (SSL)

Article ID: 813829 - View products that this article applies to.

This article refers to the following Microsoft .NET Framework Class Library namespace:

System.Web.Security

SUMMARY

By default, the cookie that contains the forms authentication ticket is not secured when you use forms authentication in a Microsoft ASP.NET Web application. This article describes how to help secure forms authentication by using Secure Sockets Layer (SSL). This article also describes additional implementation options and alternative ways to help secure forms authentication.

Back to the top | Give Feedback

MORE INFORMATION

Forms-based authentication is an ASP.NET authentication service that enables applications to provide their own logon interface and to perform custom credential verification. With forms authentication, ASP.NET authenticates the users and then redirects unauthenticated users to the logon page that is specified by the loginUrl attribute of the <forms> element in the Web.config file. When you provide credentials through the logon form, the application authenticates the request, and then the system issues a FormsAuthenticationTicket class in the form of a cookie. The FormsAuthenticationTicket class is passed as a cookie in response to subsequent Web requests from the authenticated client.

Although forms authentication provides a flexible means of authentication, you must carefully consider some important issues when you help secure an ASP.NET application. You must help protect the initial logon credentials by using SSL because the credentials are sent to the server as plaintext. You must also make sure that you help protect the cookie that contains the forms authentication ticket. To do this, use SSL on all the pages to help protect the ticket. Alternatively, you can encrypt the forms authentication ticket by setting the protection attribute of the <forms> element to All or to Encrypt in the Web.config file, and use the Encrypt method of the FormsAuthentication class to encrypt the ticket. For more information about the Encrypt method of the FormsAuthentication class, see the "" section of this article.

Advantages of Forms Authentication

Forms authentication supports authentication against a custom data store, such as a Microsoft SQL Server database or Active Directory directory services. For more information, see the "REFERENCES" section of this article.
Forms authentication supports role-based authorization with role lookup from a data store.
Forms authentication is smoothly integrated with the Web user interface. For more information, see the "REFERENCES" section of this article.
ASP.NET provides much of the infrastructure. Relatively little code is required in comparison to Microsoft Active Server Pages versions 3.0 and earlier..
ASP.NET forms authentication does not require Microsoft Internet Explorer. Forms authentication supports a wide range of Web browser clients.

How to Help Make Forms Authentication Secure

Use SSL for all pages.
Use the Encrypt method of the FormsAuthentication class.

Use SSL for All Pages

Help make to sure that the authentication cookie remains secure throughout a client browser session by using SSL encryption to help secure secure access to all pages. By using SSL encryption on the application, you help prevent anyone from compromising the authentication cookie and from transmitting other valuable information.

Set the value of the requireSSL property to true in the Web.config file. This puts SSL in place when the cookie is sent back to the browser. If you do not set the value of requireSSL to true, the form throws an exception or does not authenticate with the cookie.

When requireSSL is set to true, the encrypted connection helps protect the credentials of the user, and ASP.NET sets the HttpCookie.Secure property for the authentication cookie. The compliant browser does not return the cookie unless the connection uses SSL. The following example shows how to do this in the Web.config file for your application:

 <configuration>
 <system.web>
   <authentication mode="Forms">
     <forms name=".ASPXAUTH"
       loginUrl="login.aspx" 
       protection="All"
       timeout="20"
       requireSSL="true">
     </forms>
   </authentication > 
   <authorization>
     <deny users="?" />
   </authorization>
 </system.web>
</configuration>

The following example takes action if the cookie is set to transmit securely:

Visual C# .NET Code

 string cookieName = FormsAuthentication.FormsCookieName.ToString(); 
 HttpCookie MyCookie = Context.Request.Cookies[cookieName];

 if (MyCookie.Secure)
 {
      Response.Write("The cookie is secure with SSL.");
      // Add other required code here.
 }

Visual Basic .NET Code

   Dim cookieName As String = FormsAuthentication.FormsCookieName.ToString
   Dim MyCookie As HttpCookie = Context.Request.Cookies(cookieName)
   If MyCookie.Secure Then
      Response.Write("The cookie is secure with SSL.")
      ' Add other required code here.
   End If

Use the Encrypt Method of the FormsAuthentication Class

If you only use SSL on the initial logon Web page to encrypt the credentials that are passed for authentication, make sure that the forms authentication ticket that is contained in a cookie is protected. The forms authentication tickets must be protected because the cookie is passed between the client and the server on each subsequent Web request. To encrypt the forms authentication ticket, configure the protection attribute of the <forms> element, and use the Encrypt method of the FormsAuthentication class to encrypt the ticket.

<authentication mode="Forms">
  <forms name="MyAppFormsAuth"
       loginUrl="login.aspx"
       protection="All"
       timeout="20" 
       path="/" >
  </forms>
</authentication>

Because the protection attribute is set to All, when the application calls the FormsAuthentication.Encrypt method, the ticket must be validated and be encrypted.

Call the Encrypt method when you create the forms authentication ticket. You typically create the ticket in the Login event handler of the application.

Visual C# .NET Code

string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

Visual Basic .NET Code

Dim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)

Back to the top | Give Feedback

REFERENCES

For information about ASP.NET and forms authentication, visit the following Microsoft Web sites:

Authentication in ASP.NET: .NET Security Guidance
http://msdn2.microsoft.com/en-us/library/ms978378.aspx

(http://msdn2.microsoft.com/en-us/library/ms978378.aspx)

Forms Authentication Provider
http://msdn2.microsoft.com/en-us/library/9wff0kyh(vs.71).aspx

(http://msdn2.microsoft.com/en-us/library/9wff0kyh(vs.71).aspx)

For additional information about using SSL to secure forms authentication, click the following article numbers to view the articles in the Microsoft Knowledge Base:

306590

(http://support.microsoft.com/kb/306590/EN-US/ )

INFO: ASP.NET Security Overview

315588

(http://support.microsoft.com/kb/315588/EN-US/ )

HOW TO: Secure an ASP.NET Application Using Client-Side Certificates

313116

(http://support.microsoft.com/kb/313116/ )

PRB: Forms Authentication Requests Are Not Directed to loginUrl Page

324069

(http://support.microsoft.com/kb/324069/ )

HOW TO: Set Up an HTTPS Service in IIS