How secure is basic forms authentication in asp.net?

Question

Imagine that you have a simple site with only 2 pages: login.aspx and secret.aspx. Your site is secured using nothing but ASP.net forms authentication and an ASP.net Login server control on login.aspx. The details are as follows:

• The site is configured to use the SqlMembershipProvider
• The site denies all anonymous users
• Cookies are disabled

The are obviously many things to consider regarding security but I am more interested in the zero code out of box experience that comes with the .net framework.

If, for the sake of this question, the only attack points are the username/password textboxes in login.aspx, can a hacker inject code that will allow them to gain access to our secret.aspx page?

How secure is the zero code out-of-box experience that Microsoft provides?

Answer 1

You still have some variables that aren't accounted for:

• Security into the data store used by your membership provider (in this case, the Sql Server database).
• security of other sites hosted in the same IIS
• general network security of the machines involved in hosting the site, or on the same network where the site is hosted
• physical security of the machines hosting the site
• Are you using appropriate measures to encrypt authentication traffic? (HTTPS/SSL)

Not all of those issues are MS specific, but they're worth mentioning because any of them could easily outweigh the issue you're asking about, if not taken care of. But, for the purpose of your question I'll assume there aren't any problems with them.

In that case, I'm pretty sure the forms authentication does what it's supposed to do. I don't think there's any currently active exploit out there.

Answer 2

As far as I know password will be sent as plain text (but encoded). So the most important thing to do is to use HTTPS protocol on login screens.

The other setting seems to be secure for me.

Answer 3

With HTTP Basic Authentication, which is what the .NET basic forms authentication is using, in order to view the secret.aspx page, the browser must send a Base64 encoded concatenation of the username and password.

Unless you utilize SSL, anyone who has access to scan the network between the server and the browser can read this information. They can decode the username and password. They can replay the username and password in the future to gain access to the secret.aspx page.

That said, unless you use SSL, someone can also scan the whole session of someone else using secret.aspx, so in effect, they would have access to the content of the page as well.