Article ID: 813829 - View products that this article applies to.
This article refers to the following Microsoft .NET Framework Class Library namespace:
By default, the cookie that contains the forms authentication ticket is not secured when you use forms authentication in a Microsoft ASP.NET Web application. This article describes how to help secure forms authentication by using Secure Sockets Layer (SSL). This article also describes additional implementation options and alternative ways to help secure forms authentication.
Forms-based authentication is an ASP.NET authentication service that enables applications to provide their own logon interface and to perform custom credential verification. With forms authentication, ASP.NET authenticates the users and then redirects unauthenticated users to the logon page that is specified by the loginUrl attribute of the <forms> element in the Web.config file. When you provide credentials through the logon form, the application authenticates the request, and then the system issues a FormsAuthenticationTicket class in the form of a cookie. The FormsAuthenticationTicket class is passed as a cookie in response to subsequent Web requests from the authenticated client.
Although forms authentication provides a flexible means of authentication, you must carefully consider some important issues when you help secure an ASP.NET application. You must help protect the initial logon credentials by using SSL because the credentials are sent to the server as plaintext. You must also make sure that you help protect the cookie that contains the forms authentication ticket. To do this, use SSL on all the pages to help protect the ticket. Alternatively, you can encrypt the forms authentication ticket by setting the protection attribute of the <forms> element to All or to Encrypt in the Web.config file, and use the Encrypt method of the FormsAuthentication class to encrypt the ticket. For more information about the Encrypt method of the FormsAuthentication class, see the "" section of this article.
Advantages of Forms Authentication
How to Help Make Forms Authentication Secure
Use SSL for All PagesHelp make to sure that the authentication cookie remains secure throughout a client browser session by using SSL encryption to help secure secure access to all pages. By using SSL encryption on the application, you help prevent anyone from compromising the authentication cookie and from transmitting other valuable information.
Set the value of the requireSSL property to true in the Web.config file. This puts SSL in place when the cookie is sent back to the browser. If you do not set the value of requireSSL to true, the form throws an exception or does not authenticate with the cookie.
When requireSSL is set to true, the encrypted connection helps protect the credentials of the user, and ASP.NET sets the HttpCookie.Secure property for the authentication cookie. The compliant browser does not return the cookie unless the connection uses SSL. The following example shows how to do this in the Web.config file for your application:
The following example takes action if the cookie is set to transmit securely:
Visual C# .NET Code
Visual Basic .NET Code
Use the Encrypt Method of the FormsAuthentication ClassIf you only use SSL on the initial logon Web page to encrypt the credentials that are passed for authentication, make sure that the forms authentication ticket that is contained in a cookie is protected. The forms authentication tickets must be protected because the cookie is passed between the client and the server on each subsequent Web request. To encrypt the forms authentication ticket, configure the protection attribute of the <forms> element, and use the Encrypt method of the FormsAuthentication class to encrypt the ticket.
Because the protection attribute is set to All, when the application calls the FormsAuthentication.Encrypt method, the ticket must be validated and be encrypted.
Call the Encrypt method when you create the forms authentication ticket. You typically create the ticket in the Login event handler of the application.
Visual C# .NET Code
Visual Basic .NET Code
For information about ASP.NET and forms authentication, visit the following Microsoft Web sites:
Authentication in ASP.NET: .NET Security Guidance
Forms Authentication ProviderFor additional information about using SSL to secure forms authentication, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/306590/EN-US/ )INFO: ASP.NET Security Overview
(http://support.microsoft.com/kb/315588/EN-US/ )HOW TO: Secure an ASP.NET Application Using Client-Side Certificates
(http://support.microsoft.com/kb/313116/ )PRB: Forms Authentication Requests Are Not Directed to loginUrl Page
(http://support.microsoft.com/kb/324069/ )HOW TO: Set Up an HTTPS Service in IIS
(http://support.microsoft.com/kb/326340/ )AD - HOW TO: Authenticate against the Active Directory by Using Forms Authentication and Visual Basic .NET
(http://support.microsoft.com/kb/301240/ )SQL - HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by Using C# .NET
(http://support.microsoft.com/kb/308157/ )SQL - HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by Using Visual Basic .NET
(http://support.microsoft.com/kb/311495/ )HOW TO: Implement Role-Based Security with Forms-Based Authentication in Your ASP.NET Application by Using Visual C# .NET
(http://support.microsoft.com/kb/306238/ )HOW TO: Implement Role-Based Security with Forms-Based Authentication in Your ASP.NET Application by Using Visual Basic .NET
(http://support.microsoft.com/kb/312906/ )HOW TO: Create Keys by Using Visual C# .NET for Use in Forms Authentication
(http://support.microsoft.com/kb/313091/ )HOW TO: Create Keys by Using Visual Basic .NET for Use in Forms Authentication