I have a standard MVC app and I just tested logging in using:
FormsAuthentication.SetAuthCookie("userToImpersonate", false);
And this works - I can log in without using their password. Should this be possible? I'm scared to think that my developers can impersonate another user with a single line of code, and I'm more scared to think that our implementation of Forms Auth is incorrect. FWIW, here's how we normally Auth users:
WebSecurity.Login(model.Username, model.Password)
The FormsAuthentication.SetAuthCookie method will encrypt the cookie with the machine key that is currently being configured. The correct and secure way to handle this is to have proper automation (Ansible, Puppet, ...) that will spin your production machines and set the production keys to some secret values that your developers will never have access to. For example if you use Ansible, then Ansible Vault is the proper place to keep your production keys and only your devops will have access to it.
This way your developers can perfectly fine use the FormsAuthentication.SetAuthCookie method on their local machines but the produced cookie will be encrypted with their machines keys making it useless in production. Of course if an attacker gains access to your production machines, then there's not much you could do.