I think you are thinking too much about this problem. The ability to copy cookies is only an integral problem of cookies - anyone can intercept any cookie and impersonate any data by installing it on another computer.
The "security" of an authentication cookie comes from the fact that no one can (presumably) process a cookie manually to fake an authenticated user. However, after creating the cookie, of course, it can be used for authentication. This means that in order for your โproblemโ to occur, you still need to have a valid user log in the first place. If this user abuses the system by copying his cookie to other computers to give everyone access, it is just like a user just telling everyone his username and password, except for the much more dumb ones. Therefore, the problem is not copying the cookie - it is the user himself.
Another attack vector will be if the network is compromised, and someone can intercept traffic to collect cookies using a sniffer or something else - but again, this is due to the cookies themselves. This is called Session Hijacking, and the only way to protect it is to use SSL for your site.
If you are really worried about this, I would simply establish that your authentications and session timeouts match, and then in your global.asax file, just call FormsAuthentication.Signout () whenever a user session expires. This will invalidate the authentication whenever a user completes their session, forcing them to log in again. Of course, this can be extremely unpleasant for your users ...
I also highly recommend this MSDN article . The answers to your questions are probably much better than I can.
womp
source share