McAfee published a whitepaper that helps developers understand how to better protect against replay attacks in applications based on ASP.NET. Replay attacks are possible when an unauthorized user gains access to another user's cookie, which can lead to session hijacking. As long as the cookie has not expired such attacks might be possible unless specific preventative measures are taken.
Microsoft also issued an article about the problem, which pertains to forms authentication. Both Microsoft and McAfee recommend a series of defenses to help build a stronger method of protection. Those include the use of SSL, absolute expiration dates, "HttpOnly" cookies, and storing user information in the MembershipUser object of the Membership class.
HttpOnly cookies are a feature only supported by Internet Explorer 6 Service Pack 1. The feature prevents scripts from accessing cookies. The Membership class is a feature only available in ASP.NET 2.0.
The problem with ASP.NET form authentication was originally discovered by Rudolph Araujo, senior software security consultant with Foundstone Professional Services, which is a division of McAfee.
