How do I protect Forms Authentication?

From Guidance Share

Jump to: navigation, search

J.D. Meier, Prashant Bansode, Alex Mackman


To protect forms authentication you need to encrypt and integrity check the authentication ticket, use SSL to protect user credentials and authentication tickets over the wire, do not persist authentication cookies on the client, enforce strong passwords, use non-reversible password hashes with salt and protect your user store.

Protecting authentication tickets helps to avoid spoofing and impersonation, session hijacking, and elevation of privilege.

Strong passwords help to defend against brute force attacks, and passwords stored as hashes with salt further slow down dictionary attacks, giving time for your detection measures to detect an attack.

To protect forms authentication

  • Ensure that your forms authentication tickets are encrypted and integrity checked by setting protection="All" on the forms element.
  • Use Secure Sockets Layer (SSL) to protect the forms authentication credentials and the forms authentication cookie passed from browser to server by setting requireSSL="true".
  • If you cannot use SSL, consider reducing the cookie lifetime by reducing the timeout value to minimize the time window within which an attacker can use a captured authentication cookie to access your site.
  • If you are in a scenario where you are concerned about cookie hijacking, consider reducing the timeout and setting slidingExpiration="false".
  • Use unique name and path attribute values on the <forms> element.
  • Here is sample of secure forms authentication configuration
  <forms loginUrl="Restricted\login.aspx"  
     slidingExpiration="true" >        
  • Do not persist authentication cookie on the client computer, and do not use it for personalization purposes.
  • Enforce strong passwords and store them as non-reversible password hashes with added salt.
  • When using SQL Server database as user store, protect your authentication login form against SQL injection attacks by validating and constraining input credentials, and by using parameterized stored procedures while accessing the user store.
  • Protect the connection string that points to your user store for example by encrypting the connectionStrings section in your Web.config file.
  • Protect access to the user store by granting appropriate access to only the accounts that require it. As an added measure, locate your user store on a physically separate server from your Web server.

More Information

For more information on securing forms authentication, see “How To: Protect Forms Authentication in ASP.NET 2.0” at

Personal tools