How to secure .ASPXAUTH token

Question

How do you secure the .ASPXAUTH token so that it is sent over SSL.

Answer 1

Directly from msdn docs:

To prevent forms authentication cookies from being captured and tampered with while crossing the network, ensure that you use SSL with all pages that require authenticated access and restrict forms authentication tickets to SSL channels by setting requireSSL="true" on the <forms> element.

To restrict forms authentication cookies to SSL channels set requireSSL="true" on the <forms> element, as shown in the following code:

<forms loginUrl="Secure\Login.aspx" requireSSL="true" ... />

By setting requireSSL="true", you set the secure cookie property that determines whether browsers should send the cookie back to the server. With the secure property set, the cookie is sent by the browser only to a secure page that is requested using an HTTPS URL.

Note: that when using requireSSL="true", the auth cookie is only sent for pages requested via SSL. So if you hit a page via HTTP (non-SSL), it may appear that you are not logged in. This article talks about the issue and proposes a solution as it would pertain to a SharePoint site (but the theory is transferable): Securing the authentication cookie for mixed SSL SharePoint sites