Security loophole around password changes with .NET FormsAuthentication and persistent cookies?

Question

OK, here\'s a scenario:

1. Bob logs into mysite.com, which uses .NET forms authentication, and ticks \'remember me\'.
2. Eve steals Bob\'s laptop
3. Bob g

Answer 1

Perhaps it would make sense to only accept FormsAuth tickets issued after your last password reset.

So in Global.asax AuthenticateRequest, extract the FormsAuthenticationTicket.IssueDate from the encrypted ticket, and compare it to the date of that users last password reset (you would need to store this in your database when they reset their password).

If the ticket was issued before that date, then reject the ticket, do not authenticate them and ask them to login in again.

I haven't implemented this myself, so I could be missing a hole in the theory somewhere...