Penetration testers say that the .ASPXAUTH cookie is insecure and is displaying session data?

I thought the .ASPXAUTH was for user authentication? Can anyone confirm if this cookie is indeed a security risk and/or contains session information? Is it even suppose to be used or开发者_高级运维 is it some debug thing?

I think you have run into some comments that have to do with Forms Authentication security. You can find more info here: http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx

What it boils down to is that a clever hacker can discover the machine key used to encrypt the cookeis and create their own forged auth cookies.