FormsAuthentication: Is it secure?

Question

Using FormsAuthentication build into asp.net it\'s very quick and easy to create a login system that creates a cookie for authenticated users:<

Answer 1

Just some random statements about your thought process, but in regards to

So what I've done in the past is hold the username and password used in a cookie, then re-authentic this with every request.

@Scott Mitchell brought this up already and discussed reasons to not do this due to security implications of this.

I felt it would be worth pointing out why this would not make sense (even disregarding security implications of leaking information). The reason you are generating a forms authentication ticket (the cookie) is that you letting ASP.NET stamp this users browser with that ticket that lets you acknowledge this is the specified user that has already been authenticated.

By issuing them a ticket you are doing so to imply they do not need to be authenticated as they have already been previously.

A good analogy to this is you goto a bar, on your way in you get your id scanned by the bouncer to make sure your id is legitimate and that you're over 21. Upon confirmation of this, they give you a wrist band that is a certain color / design.

With your wrist band you are able to leave the building to smoke and return inside circumventing the line and the need to have your id scanned allowing you to return that day. Now should you go home, but not take the wrist band off when you goto bed (like leaving the browser open over night) you come back to the bar the next day and attempt to show your wrist band to bypass the line. At this point you're rejected because you have last nights wrist band and are told to get to the back of the line and get authorized again.