By encrypting and validating the web application cookie, the confidentiality and integrity of data within the cookie is assured.

This helps mitigate the risk of attacks such as session hijacking and impersonation.

---

1. Open IIS Manager and navigate to the site, application, or virtual directory you want to configure.

2. In the IIS Section (Features View), double-click Authentication.

3. On the Authentication page, select Forms Authentication.

4. In the Actions pane, click Edit (Enable if neccessary).

5. In the Cookie settings section, verify the drop-down for Protection mode is set for Encryption and validation.

6. Open the web.config file for the application in which forms authentication is enabled.

7. Confirm the protection attribute for the forms element is set to “All”.

< system.web>
< authentication>
< forms cookieless=”UseCookies” protection=”All” />
< /authentication>
< /system.web>

---