How Forms Authentication implements a secure timeout on the cookie?
It does not take a genius to alter the timeout on a cookie that is stored on the browser’s memory. Third party browser add-ins and developer tool bars or HTTP interceptors are easiest ways to begin with. ASP.Net’s Forms Authentication and it’s SetAuthCookie method handles the time out in a secure way. By secure way I mean the time out value of the cookie is actually embedded in the value of the cookie itself.
Now we all know that the authenticated user’s name is part of the AuthCookie value, but it is interesting to know that the time out for the session cookie is handled the same way too. And the normal rules of cookie value encryption and MAC verification apply.
Read through the entire blog – http://brockallen.com/2012/06/04/membership-is-not-the-same-as-forms-authentication/
A few important notes below:
Forms Authentication issues a cookie and embeds the username inside the cookie. Upon subsequent requests to the server Forms reads the cookie, validates it, extracts the username and assigns the username to User.Identity.Name (as well as Thread.CurrentPrincipal.Identity.Name).
To implement the cookie-based scheme securely Forms Authentication does several things:
1) Protects the cookie by encrypting and MACing it. This provides protection against people reading the cookie (including the user) and tampering with the value (including the user).
2) Provides a secure timeout on the cookie. Forms does not rely upon the normal cookie timeout — the user could easily change this. Instead Forms embeds the cookie timeout in the encrypted/MAC’d cookie value.
4) Allows the cookie to be marked as SSL-only. This, unfortunately, is not the default nor required (but I think it should for both… well, at least the default).