Most developers probably use forms authentication in cookie mode. In fact, unless you happened to use the Microsoft Mobile Internet Toolkit (MMIT) in ASP.NET 1.1, ASP.NET could not automatically issue and manage tickets in a cookieless format.
In ASP.NET 1.1 the requireSSL attribute on the <forms /> element enabled developers to require SSL when handling forms authentication tickets carried in a cookie. The slidingExpiration attribute on <forms /> allowed you to enforce whether forms authentication tickets would be automatically renewed as long as a website user stayed active on the site. In addition to these options, ASP.NET 2.0 and ASP.NET 3.5 include a security feature for the forms authentication ticket by always setting the HttpOnly property on the cookie to true.
The HttpCookie class has a property called Secure. When this property is set to true, it includes the string secure in the Set-Cookie command that is sent back to the browser. Browsers that recognize and honor this cookie setting send the cookie back to the web server only if the connection is secured with SSL. For any high-security site, the requireSSL attrbitue should always be set to true to maximize the likelihood that the cookie is only communicated over a secure connection.
However, depending on client-side behavior is always problematic. The browser may not support secure cookies (unlikely but still possible with older browsers). Additionally, ...
With Safari, you learn the way you learn best. Get unlimited access to videos, live online training,
learning paths, books, interactive tutorials, and more.