How secure is basic forms authentication in asp.net?

Question

Imagine that you have a simple site with only 2 pages: login.aspx and secret.aspx. Your site is secured using nothing but ASP.net forms authentication and an ASP.net Login serv

Answer 1

You still have some variables that aren't accounted for:

• Security into the data store used by your membership provider (in this case, the Sql Server database).
• security of other sites hosted in the same IIS
• general network security of the machines involved in hosting the site, or on the same network where the site is hosted
• physical security of the machines hosting the site
• Are you using appropriate measures to encrypt authentication traffic? (HTTPS/SSL)

Not all of those issues are MS specific, but they're worth mentioning because any of them could easily outweigh the issue you're asking about, if not taken care of. But, for the purpose of your question I'll assume there aren't any problems with them.

In that case, I'm pretty sure the forms authentication does what it's supposed to do. I don't think there's any currently active exploit out there.