Bear in mind that except for requests over HTTPS, any
request from the browser to the server is transmitted over the network in
plain-text. For this reason, many websites have the login page accessed via
HTTPS, as in https://www.example.com/login.aspx.
This approach ensures that the user's credentials are securely transmitted and
kept from prying eyes. With the login overlay user interface, user credentials are
sent to the server-side service in plain-text unless the user is visiting the
current page over HTTPS.
You can optionally configure the server-side AuthenticationService service to only accept requests over
SSL. To accomplish this, go to Web.config and set the system.web.extensions\scripting\webServices\authenticationService
element's requireSSL attribute to true. If requireSSL is set to true and a non-secure request is made to
the server-side AuthenticationService service then the
service throws an HttpException. If you go this route
also consider setting the system.web\authentication\forms
element's requireSSL attribute to true as well, which
instructs the browser to submit the authentication ticket to the server only when
making a request over HTTPS.
In closing, realize that for many sites the login overlay is
not intended to be an outright replacement for the dedicated login page. If you
have pages that are only available to authenticated users then you will still
need a dedicated login page for those scenarios where an anonymous user
attempts to directly visit a page intended only for authenticated users.
For more information on the topics addressed in this
article, consult the following resources:
Server-Side Data from Client Script
Client-Side Sys.Services.AuthenticationService class
Server-Side AuthenticationService class
Forms Authentication in ASP.NET