Configure the Cookie Protection Mode for Forms Authentication (IIS 7)

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

The cookie protection mode defines the function a Forms authentication cookie performs for a specific application. The following table shows the cookie protection modes you can define:


Mode Description

Encryption and validation

Specifies that the application use both data validation and encryption to help protect the cookie. This option uses the configured data validation algorithm (based on the machine key). Triple-DES (3DES) is used for encryption, if available and if the key is long enough (48 bytes or more). This setting is the default (and recommended) value.


Specifies that both encryption and validation are disabled for sites that are using cookies only for personalization and have weaker security requirements. We do not recommend that you use cookies in this manner; however, it is the least resource-intensive way to enable personalization using the .NET Framework.


Specifies that the cookie is encrypted by using Triple-DES or DES, but data validation is not performed on the cookie. Cookies used in this manner might be subject to plain text attacks.


Specifies that a validation scheme verifies that the contents of an encrypted cookie have not been changed in transit.

For security reasons, consider keeping Encryption and Validation cookies separate from each other. The theft of encryption cookies would be a greater security exposure than the theft of validation cookies.

For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see Authentication Feature Requirements (IIS 7).

Exceptions to Feature Requirements

  • None


  • FormsAuthenticationModule

You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).

  2. In Features View, double-click Authentication.

  3. On the Authentication page, select Forms Authentication.

  4. In the Actions pane, click Edit.

  5. In the Edit Forms Authentication Settings dialog box, select the protection mode you want to use from the Protection mode drop-down list in the Cookie settings area, and then click OK.

To configure the cookie protection mode for Forms authentication, use the following syntax:

appcmd set config /commit:WEBROOT /section:system.web/authentication / All | None | Encryption | Validation

The default value for is All. For example, to configure the cookie protection mode for Forms authentication to use the setting Encryption and Validation, type the following at the command prompt, and then press ENTER:

appcmd set config /commit:WEBROOT /section:system.web/authentication /

When you use Appcmd.exe to configure the authentication element at the global level in IIS 7, you must specify /commit:WEBROOT in the command so that configuration changes are made to the root Web.config file instead of ApplicationHost.config.

For more information about Appcmd.exe, see Appcmd.exe (IIS 7).

The procedure in this topic affects the following configuration elements:

<forms> under <authentication> under <system.web>

For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.

Use the following WMI classes, methods, or properties to perform this procedure:

  • FormsAuthenticationConfiguration.Protection property

For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.

See Also

Community Additions