You are creating an ASP.NET application by using the .NET Framework 3.5.
The application connects to a Web service over the Internet. The application uses and stores authentication cookies
You need to ensure that transmission and storage of cookies is as secure as possible.
What should you do?
A.
Modify the authentication cookie time-out to be as short as possible.
B.
Store the IP address of the client computer in a database each time a user logs on to the application. Reject requests that originate from IP addresses which do not match the stored IP address.
C.
Include the IP address of the client computer in the encrypted authentication cookie each time a user logs on to the application. Reject requests that originate from IP addresses which do not match the encrypted IP address.
D.
Use a secure HTTP connection for any request that involves the transmission of an authentication cookie.
Explanation:
If users are submitting passwords via the logon page, you can secure the channel using SSL to prevent passwords from being stolen.
If you are using cookies to maintain the identity of the user between requests, you should be aware of the potential security risk of a hacker “stealing” the user’s cookie using a network- monitoring program. The only true way to make the site completely secure when using cookies is to use SSL for all communications with the site. For most commerce sites, this will be impractical due to the significant performance overhead.
With ASP.NET you can have the server regenerate cookies at timed intervals. This policy of cookie expiration is designed to prevent another user from accessing the site with a stolen cookie.See also:http://msdn.microsoft.com/en-us/library/ee817643.aspx