I have a ASP.NET MVC application using form authentication.
When the user logs in, then I get an auth cookie set to some value. I.E.:
auth = XXXYYY001
All good.
Now, when half the session expiration time passes (as stated in the documentation) when sliding expiration session is enabled, the auth cookie value changes.
auth = XXXYYY002
I have no problem with this.
The problem is that the original cookie value (XXXYYY001) still works when I try to hijack the session from a different browser after the auth cookie value changed. This was flagged by an ethical hacking work we had on out site and I was able to reproduce it on a simple test site I built.
My question is: how could I prevent this from happening? I haven't look at the source code (I don't even know if that ASP.NET's part is open source) but I haven't found anything in the documentation telling me how to handle this scenario.
Thanks a lot in advance.
