This seems to be indicating that values are encrypted in the cookie, and the issue is the AES encryption algorithm was implemented poorly.<p>Why are <i>any</i> values with any degree of sensitivity being stored in a cookie in the first place?<p>I'd argued against encrypted values being stored in cookies many years ago with some colleagues, arguing in favor of randomized values. What I kept getting back was "random isn't really random - that's insecure". I could never quite explain my point in a way they understood, which I still count as a failing on my part (but still a failure on theirs to grasp basic security stuff in the first place).<p>So... am I correct in understanding that the ASP.NET system is storing something of value via encryption in cookies? If so, what?<p>EDIT - should have read the full thing - this is the padding attack from last week. :/