我使用VSTS 2008 + C＃+净3.5 + IIS 7.0 + ASP.Net。在我的窗体身份验证，会话变量的理解（用于认证标识 - 也就是当用户通过身份验证，用户都会有这样的会话变量，会话变量implemneted作为cookie）成立了身份验证的用户

我的这种模式值得关注的是，每次用户访问的网站的页面时，会话变量将被转移到服务器端。它可能是由黑客来sniffered和黑客可以利用这些会话变量pretend是最终用户？那是一个安全隐患？

如果它是一个安全隐患，那么我们就必须使用https与Forms身份验证所有的时间？

在此先感谢， 乔治

我已经在连接到我们的合作伙伴之一的请求，类似的担忧... （在这里详见：http://stackoverflow.com/questions/1367574/rewriting-urls-using-reverse-proxy ）

事实证明这种合法的过程实际上是利用黑客的方法被称为中间人。它在技术上pretends通过保持的Cookie ID在它自己的会话的上下文在处理服务器，并保持一个sparate一个用于客户端计算机是用户。

因此​​，在理论上它可以做，这是一种威胁。使用SSL是正确的方式去在我看来，如果数据在任何方面很敏感。

有趣的足够在此Microsoft支持文章 http://support.microsoft.com/kb/910443的措辞让你相信它实际上是相同的每个请求......

窗体身份验证cookie是什么，但容器窗体身份验证票证。票证是通过为每个请求的窗体身份验证cookie的值，并使用窗体身份验证，在服务器上，以识别身份验证的用户。的

这个cookie可以被加密，使用3DES加密。这可以通过保护属性设置为web.config文件的验证部分的验证的启用。使用该设置在服务器上验证每项交易cookie中的数据。 这增加了一个小的开销，但...

I am using VSTS 2008 + C# + .Net 3.5 + IIS 7.0 + ASP.Net. In my understanding of Forms authentication, a session variable (used for authentication identifier -- i.e. when a user passed authentication, the user will have such a session variable, and the session variable is implemneted as a cookie) is established for authenticated user.

My concern of this mode is, each time user access a page in the web site, the session variable will be transferred to server side. It may be sniffered by hacker, and hacker could use such session variable to pretend to be the end user? Is that a security risk?

If it is a security risk, then we have to use https all the time with Forms authentication?

thanks in advance, George

I've had similar concerns in connection to a request from one of our partners... ( See in details here: http://stackoverflow.com/questions/1367574/rewriting-urls-using-reverse-proxy )

As it turns out this "legitimate" process is actually using a hacking method called the "middle man". It technically pretends to be the user by keeping the cookie ID in its own session context while dealing with the server and keep a sparate one for the client computer.

So, in theory it could be done and it is a threat. Using SSL is the right way to go in my opinion if the data is in any way sensitive.

Funny enough in this Microsoft Support article http://support.microsoft.com/kb/910443 the phrasing makes you believe that it is actually the same for each request...

Forms authentication cookie is nothing but the container for forms authentication ticket. The ticket is passed as the value of the forms authentication cookie with each request and is used by forms authentication, on the server, to identify an authenticated user.

The cookie could be encrypted, using 3DES encryption. This could be enabled by setting the protection attribute to Validation of the authentication section of the web.config file. Using this setting the server verifies the data on the cookie for each transaction. This adds a little overhead though...