This notion of encrypted cookies or tokens being an inherently bad mechanism to store information securely is a red herring. The fact is that these platforms --- .NET, JSF, Rails, Django included --- provide functionality that stores encrypted information client-side. When that functionality is broken, it's a platform-level security flaw.
Whether you're right or your wrong (and I would tend to agree that storing sensitive information clientside --- or doing anything else that involves encryption --- isn't worth the risk), this isn't a productive point to make. These designs exist, and can be secure, but contain flaws that must be corrected, lest many tens of applications be susceptible to devastating attacks.
Whether you're right or your wrong (and I would tend to agree that storing sensitive information clientside --- or doing anything else that involves encryption --- isn't worth the risk), this isn't a productive point to make. These designs exist, and can be secure, but contain flaws that must be corrected, lest many tens of applications be susceptible to devastating attacks.