I'm working on an application which uses the Session variable to keep track of users, checking on the master page for it's existence otherwise knocking them out to login. I wanted to change this over to Form Authentication as I read it was more secure and the data is encrypted.
Can someone tell me what data is actually encrypted? I tried setting up Forms Authentication on my site, it works fine, users are being tracked properly and can't access pages without logging in. However, when I look at the Request Body, using Fiddler, I see all the forms fields and there content. Can't a hacker use that to change the data and resubmit the request, like they would with a cookie generated from a Session variable? This application is not using SSL, so I understand SSL would encrypt the body, but I thought that's what Forms Authentication would do also. Otherwise what does it encrypt, just the Session ID in the cookie?
Here is the code I was using:
<authentication mode="Forms">
<forms loginUrl="default.aspx" name=".ASPXFORMSAUTH_Test" defaultUrl="home.aspx" protection="All"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
in the login page I tried to manually create the cookie:
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
txtEmail.Text,
DateTime.Now,
DateTime.Now.AddMinutes(30),
false,
txtEmail.Text,
FormsAuthentication.FormsCookiePath);
// Encrypt the ticket.
string encTicket = FormsAuthentication.Encrypt(ticket);
// Create the cookie.
Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
// Redirect back to original URL.
Response.Redirect(FormsAuthentication.GetRedirectUrl(txtEmail.Text, false));
I had also tried:
FormsAuthentication.RedirectFromLoginPage(txtEmail.Text, false);
eariler, got the same results, request body in Fiddler shows all fields being submitted and their contents.