Information
The cookie protection mode defines the protection Forms Authentication cookies will be given within a configured application. The four cookie protection modes that can be defined are:
Encryption and validation - Specifies that the application use both data validation and encryption to help protect the cookie; this option uses the configured data validation algorithm (based on the machine key) and triple-DES (3DES) for encryption, if available and if the key is long enough (48 bytes or more)
None - Specifies that both encryption and validation are disabled for sites that are using cookies only for personalization and have weaker security requirements
Encryption - Specifies that the cookie is encrypted by using Triple-DES or DES, but data validation is not performed on the cookie; cookies used in this manner might be subject to plain text attacks
Validation - Specifies that a validation scheme verifies that the contents of an encrypted cookie have not been changed in transit
It is recommended that cookie protection mode always encrypt and validate Forms Authentication cookies.
Rationale:
By encrypting and validating the cookie, the confidentiality and integrity of data within the cookie is assured. This helps mitigate the risk of attacks such as session hijacking and impersonation.
Impact:
Protection Forms Authentication cookies will restricted to the mode defined.
Solution
Cookie protection mode can be configured by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts. Using IIS Manager:
Open IIS Manager and navigate to the level where Forms Authentication is enabled
In Features View, double-click Authentication
On the Authentication page, select Forms Authentication
In the Actions pane, click Edit
In the Cookie settings section, verify the drop-down for Protection mode is set for Encryption and validation
OR
Enter the following command in PowerShell to configure:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/<website name>' -filter 'system.web/authentication/forms' -name 'protection' -value 'All'
Default Value:
When cookies are used for Forms Authentication, the default cookie protection mode is All, meaning the application encrypts and validates the cookie.