Preventing Cookie replay attacks in ASP.Net MVC

Question

I have been tasked with implementing point 4 in this article: http://support.microsoft.com/kb/900111

This involves using the Membership provider to add a comment to

Answer 1

Can I roll my own key value store of cookie values to logged in users and just make sure I clear this when a user hits the logout button.

Yes, you can do this. The Membership Provider keeps a small set of data about the user (username, email, password, last login, lost password question, lost password answer, etc).

If you don't want to retro fit a membership provider I would take the approach you mentioned. Whether the information is written to the comment field of the aspnet_Users table or a bit field in your own table, it shouldn't make any difference.

You also might want to consider putting an interface your Membership/Authentication code. Then you could swap your current code to a Membership Provider implementation when it's more convenient.