问题
I'm looking to put SSL into place to prevent cookie replay attacks on our site.
The site is using .NET forms authentication. Do I just need to enable SSL for the login page or would it be every page behind the forms authentication that needs to be secure?
THanks
回答1:
You would need to enable SSL for every page where the browser is instructed to send the authentication ticket cookie. By default, that would mean every page on your website, although when writing the cookie to the browser you can instruct it to only send it over HTTPS or to limit it to certain paths.
But in general it would mean SSL protecting every page on your site, not just your sign in page.
回答2:
.Net websites transfer non only the viewstate but any cookies back to the server on postback. This impacts your security in that someone using firesheep (or a similar tool) could easily pick up an authentication cookie, not on login, but when a user postsback via a button press, or ajax event several pages into the application.
If you have access to IIS you can not only enable SSL use, but force it.
来源:https://stackoverflow.com/questions/7677516/asp-net-using-ssl-to-prevent-cookie-replay-attack