I read the white paper from Araujo Rudolph on ASP.NET form authentication security flaws.http://www.foundstone.com/resources/whitepapers/ASPNETFormsAuthentication.pdf
It is amazing to me to think that you could still perform a cookie reply attack after you logout from the form (if session is valid). In the web applications I am writing for my client I am using SOAP header authentication. SOAP headers credentials are compared with the ones in a secure data repository and added to the application object for persist the session. No cookies are used. The only threat as far as I know could come to exploit the clear text credentials in the headers during transmission but my web application run under VPN because is a credit card application with special security. I am interested on how secure is SOAP headers authentication maybe this paper might help me, thanks Rudy
Posts
