Important information on ASP.Net Forms Authentication:

This basically allows a user to determine the Machine Key used to encrypt the cookie on any site. This is apparently 100% reliable and can be used for any site within 30 - 50 minutes. This would allow a user to create spoofed authentication cookies to assign administrator privileges.

The solution? Use one of the other Encryption mechanisms eg. Triple DES.


Twitter Delicious Facebook Digg Stumbleupon Favorites More