Note: This is NOT an ASP.NET MVC question related to the [RequireSSL] attribute. Thats completely different – just has the same name.

ASP.NET Forms authentication has the RequireSSL property which requires that the auth cookie for ASP.NET membership is only ever sent over SSL. This is to prevent someone from stealing the cookie (such as by network sniffing) and impersonating the user.

So I’m wondering – with all the security conscious changes MS have made (such as making httpOnly cookies default) why is requireSSL not defaulted to true ?

Is cookie sniffing considered a ‘neglibigle’ security risk?

Is it considered an acceptable risk to leave it false unless the connection actually allows me to access secure/personal data? If it isnt acceptable – how am I supposed to return a user to http and still know who they are?

To prevent forms authentication
cookies from being captured and
tampered with while crossing the
network, ensure that you use SSL with
all pages that require authenticated
access and restrict forms
authentication tickets to SSL channels
by setting requireSSL=”true” on the
element.

To restrict forms authentication
cookies to SSL channels

Set requireSSL=”true” on the element,
as shown in the following code.

By setting requireSSL=”true”, you set
the secure cookie property that
determines whether browsers should
send the cookie back to the server.
With the secure property set, the
cookie is sent by the browser only to
a secure page that is requested using
an HTTPS URL.

Note: If you are using cookieless
sessions, you must ensure that the
authentication ticket is never
transmitted across an unsecured
channel.