ASP.Net Remember Me Functionality

I have an ASP.Net 4.0 Web App. I'm try to architect a "remember me for 14 days" requirement. After that period I'd like to force them to re-login.

So my question is how to do this. I'm thinking of creating my own HttpModule and have it hook into the PostAuthenticateRequest event. In this event I'll check if the current principal was not authenticated by the normal FormsAuthenticationModule. If not, I would look at the auth ticket returned from the browser and see if it contains my UserData. My UserData in the ticket would the password they used to successfully authenticate.

My Question:

I'll have to add the password that they used to every response right? The normal FormsAuthenticationModule changes the ticket that gets sent to the browser continually to keep the user's session alive. So where the best place for me to plug into the pipeline to continually add this to each auth ticket for every response? And if the FormsAuthenticationModule is already building the ticket, bui开发者_运维百科lding the cookie, and encrypting it, do I have to override that logic and do that all myself?

Thanks

quote "My UserData in the ticket would the password they used to successfully authenticate." not sure about the rest, but do not trust any data from the client, cookies can be modified and storing the password in a cookie is BAD, and what about multiuser systems?