Security loophole around password changes with .NET FormsAuthentication and persistent cookies?

Question

OK, here\'s a scenario:

1. Bob logs into mysite.com, which uses .NET forms authentication, and ticks \'remember me\'.
2. Eve steals Bob\'s laptop
3. Bob g

Answer 1

Having a hashed password in the authentication cookie would mean that you have to check it upon every request. This would be inefficient as authentication can be costly.

You could provide an easy "fix" for your concern involving an id in forms cookie user data section. Note that if you create the cookie on your own, you can inject an arbitrary data there, for example the password's record id.

Now, you could add the AuthenticateRequest handler in your global.asax. You try to retrieve the user data from the cookie and you compare the id retrieved form the cookie with the one in the database. If they do not match, you return an error and/or log the user out of the application.