This web application is configured to use forms authentication but has the forms property protection set to a value that is not All (the default value is All). The All value is the recommended value for this property as this protection mode will both encrypt and validate the forms authentication cookie.


It's recommended to set the forms property protection to All.

<authentication mode="Forms">
  <forms ... protection="All" />


Related Vulnerabilities