I'm being asked about ASP.NET website forms authentication cookie replay attacks.
I followed the advice below to protect against any attack, but I think that the site is still vulnerable if someone manages to get into the cookie (albeit for a short time). Is there a way to completely destroy the forms authentication session when you log out, so that even if someone stole the cookie, it would not be possible to use it maliciously.
After the consultation was
We believe that we have taken all the crucial steps that we can protect against this within ASP.NET. See detailed answer below.
However, we have implemented the recommended steps from Microsoft to protect against this (see http://support.microsoft.com/default.aspx?scid=kb;en-us;900111 )
. An authentication file is never written to the client machine, which makes it difficult to steal it.
. The application runs over SSL, so a cookie is never issued over an insecure connection.
. We apply an absolute expiration with a 15 minute timeout meaning that any cookie problems are useless after this time limit
· We use a httpOnly cookie so that no one can program or drag this cookie.
Thus, even if the above precautions were violated, which, in our opinion, is unlikely, a malicious user will only have a 15-minute window to violate the precautions and successfully log into the system