Secure Flag for ASPXAUTH Cookie

Question

We have an externally facing application which was penetration-tested by an external security company. Application has been developed on ASP.NET MVC4 and running on IIS8/Windows

Answer 1

Answer for your secong question

Possible duplicate of How to secure .ASPXAUTH token

as per answer by xelco

To prevent forms authentication cookies from being captured and tampered with while crossing the network, ensure that you use SSL with all pages that require authenticated access and restrict forms authentication tickets to SSL channels by setting requireSSL="true" on the  element.

To restrict forms authentication cookies to SSL channels set requireSSL="true" on the  element, as shown in the following code:



By setting requireSSL="true", you set the secure cookie property that determines whether browsers should send the cookie back to the server. With the secure property set, the cookie is sent by the browser only to a secure page that is requested using an HTTPS URL.