Security loophole around password changes with .NET FormsAuthentication and persistent cookies?

Question

OK, here\'s a scenario:

1. Bob logs into mysite.com, which uses .NET forms authentication, and ticks \'remember me\'.
2. Eve steals Bob\'s laptop
3. Bob g

Answer 1

Having a hashed password in the authentication cookie would mean that you have to check it upon every request. This would be inefficient as authentication can be costly.

You could provide an easy "fix" for your concern involving an id in forms cookie user data section. Note that if you create the cookie on your own, you can inject an arbitrary data there, for example the password's record id.

Now, you could add the AuthenticateRequest handler in your global.asax. You try to retrieve the user data from the cookie and you compare the id retrieved form the cookie with the one in the database. If they do not match, you return an error and/or log the user out of the application.

Answer 2

Perhaps it would make sense to only accept FormsAuth tickets issued after your last password reset.

So in Global.asax AuthenticateRequest, extract the FormsAuthenticationTicket.IssueDate from the encrypted ticket, and compare it to the date of that users last password reset (you would need to store this in your database when they reset their password).

If the ticket was issued before that date, then reject the ticket, do not authenticate them and ask them to login in again.

I haven't implemented this myself, so I could be missing a hole in the theory somewhere...