Can anyone hijack (via js) the asp.net forms cookie and change the expire date?
What can stop them from grabbing it and changing the expire date? i.e. effectively letting the user stay logged in?
Update
Does the .net framework forms auth. cookie rely on the cookie's expiration date or does it encypt that?
well not sure about javascript but you can do it using Cookie Editor add on of Fire Fox
encrypt it
set a additional date flag inside the cookie
Cookies are stored by the client, you can't trust them not to change.
There are extensions for Firefox that let you edit cookies, including the expire dates. If you want them to force them to expire you should be tracking them server side too and expire them there.
If you want to prevent this, hash the expiration date into the cookie value. Then, when you retrieve the cookie, if the hashed expiration date doesn't match the plaintext expiration date, discard the cookie.
There are a few things you can do to improve the situation.
In web.config, set protection="All" for the cookie: http://msdn.microsoft.com/en-us/library/1d3t3c61.aspx. This will encrypt and validate, making it harder to hack client-side.
Additionally, cookies can have httpOnly set to true. This tells the browser that the cookie cannot be manipulated in javascript.
The <forms> element in web.config also has a setting for timeout (see link above). It's possible that Microsoft's implementation is smart enough not to depend solely on the cookie, but I don't know.
The other comments are correct that the client should never be trusted. So to be airtight, you'll want to track "last login" on the server and force a new login after some time period.
Via JS (JavaScript) it is not possible, at least not in a browser that honors the HttpOnly attribute that ASP.NET sets for the Forms cookie.