6.3. Securing the Ticket on the Wire
By default, the forms authentication ticket is digitally encrypted and signed using a keyed hash. This security has been available since ASP.NET 1.0, and ASP.NET 3.5 uses the same security for the ticket. However, there have been some new questions over hash security and support for new encryption options in ASP.NET 2.0 and ASP.NET 3.5.
6.3.1. How Secure Are Signed Tickets?
Since ASP.NET 1.0, forms authentication tickets have been digitally signed using a keyed hash that uses the SHA1 algorithm. When SHA1 was originally chosen years ago, it was considered a very secure hashing algorithm with no likelihood of being cryptographically weakened. In 2005, there were reports that SHA1 had been "broken"; in the cryptographic community, someone reported a theoretical collision-based attack on SHA1 hashes.
In summary, some researchers proposed a way to reduce the chance of inducing a hash collision in SHA1 to only 269 attempts. Normally, you would expect to take around 280 attempts to create a collision in SHA1 (SHA1 hashes are 160 bits in length, so you can figure that on average you only need to flip half as many possible bits to eventually find a piece of text that results in a matching SHA1 hash.)
So, this new attack against SHA1 theoretically reduces the number of attempts by a pretty hefty 1208335523804270469054464 iterations (after notepad, I think calc.exe is the most frequently entered command from the Run option in Windows). Suffice it say ...