How secure is basic forms authentication in asp.net?
Imagine that you have a simple site with only 2 pages: login.aspx and secret.aspx. Your site is secured using nothing but ASP.net forms authentication and an ASP.net Login server control on login.aspx. The details are as follows:
- The site is configured to use the SqlMembershipProvider
- The site denies all anonymous users
- Cookies are disabled
The are obviously many things to consider regarding security but I am more interested in the zero code out of box experience that comes with the .net framework.
If, for the sake of this question, the only attack points are the username/password textboxes in login.aspx, can a hacker inject code that will allow them to gain access to our secret.aspx page?
How secure is the zero code out-of-box experience that Microsoft provides?
Answer
You still have some variables that aren't accounted for:
- Security into the data store used by your membership provider (in this case, the Sql Server database).
- security of other sites hosted in the same IIS
- general network security of the machines involved in hosting the site, or on the same network where the site is hosted
- physical security of the machines hosting the site
- Are you using appropriate measures to encrypt authentication traffic? (HTTPS/SSL)
Not all of those issues are MS specific, but they're worth mentioning because any of them could easily outweigh the issue you're asking about, if not taken care of. But, for the purpose of your question I'll assume there aren't any problems with them.
In that case, I'm pretty sure the forms authentication does what it's supposed to do. I don't think there's any currently active exploit out there.