McAfee, Inc., a leader in intrusion prevention, announced that its security services group, Foundstone Professional Services, will release a whitepaper on Microsoft ASP.NET Forms Authentication and "cookie replay" attacks. The whitepaper will be located at http://www.foundstone.com/index.htm?...hitepapers.htm. In response, Microsoft authored an MSDN article:
http://support.microsoft.com/default...b;en-us;900111.

What is a "cookie replay" attack? When authentication information is stored in a cookie, an attacker who gains access to that cookie can authenticate back to the web application.

The particular vulnerability in ASP.NET Forms Authentication, is that even if the cookie is explicitly removed, no persistent record of that is stored server-side. So, the credentials could still be used to authenticate to the web application. Also, even though cookies can have an expiration date (and always should!), ASP.NET actually uses a " forms authentication ticket" to determine if a cookie is still valid. This can allow an "expired" cookie to still be seen as valid by the ASP.NET application.

Both the Foundstone/MacAffee whitepaper, and the MSDN article, give advice for how to plug this potential security hole.