5.1 Security Considerations for Implementers
The Login WSDL operation requires that a user’s logon name and password be sent as plain text in the body of the request WSDL message. Therefore, the message is inherently not secure. In addition, forms authentication is subject to replay attacks for the lifetime of the cookie. To help increase the security of the message, use of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) is recommended.