Form Authentication - Cookie replay attack - protection

Question

I am being asked about cookie replay attacks with my ASP.NET websites forms authentication.

I have followed the advice below to protect against any attack but think

Answer 1

You can easily invalidate forms auth tickets that are "older than date X".

A FormsAuthenticationTicket has a built-in property called IssueDate that allows you to do that.

You can, for example, do this:

1. store a date in user's database record, you can name it ValidSince
2. read the token date inside Application_AcquireRequestState (in global.asax)
3. if the token's IssueDate is older than the database date - logout!

When you want to invalidate a particular user - just reset that date in the database to the current date.

I blogged about it here if you need some actual code samples.

One very common use case is to "invalidate all sessions created before the last password-change".