6.12. Summary
Out of the box, forms authentication in ASP.NET 2.0 and ASP.NET 3.5 adds new protections by including the HttpOnly attribute on all forms authentication cookies. Used in conjunction with encryption and signing of the forms authentication ticket, the requireSSL attribute and absolute ticket expirations, you can quickly restrict the ability of malicious users to gain access to a forms authentication cookie.
When running an application in the new IIS 7.0 integrated mode, you can enable the managed FormsAuthenticationModule to authenticate ASP.NET and non-ASP.NET resources. This comes as a result of having ASP.NET access to all request types when running under the integrated mode in IIS 7.0.
ASP.NET 2.0 and ASP.NET 3.5 also include a cookieless mode of operation, whereby the forms authentication ticket is embedded in the URL. This makes it much easier for developers to author sites that work with mobile browsers as well as standard desktop browsers. In the interest of security, though, developers should avoid cookieless forms authentication tickets for sites that require high degrees of security. It is simply too easy to "leak" or expose a cookieless forms authentication ticket to someone other than the original user.
Although forms authentication seems pretty simple, with a bit of custom code, you can actually solve some rather complex authentication problems. The ability in ASP.NET 2.0 and ASP.NET 3.5 to pass forms authentication tickets across applications makes it ...
Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
