ASP.NET forms authentication using inadequate protection
Description
The ASP.NET application uses forms authentication with the protection attribute set to a value other than All. This configuration weakens the security of authentication cookies by either disabling encryption, validation, or both. The All setting (which is the default) ensures that authentication cookies are both encrypted to prevent disclosure and digitally signed to prevent tampering.
Remediation
Configure the protection attribute of the forms element to All in your web.config file. This ensures authentication cookies are both encrypted and validated, providing maximum security.
Update your authentication configuration as follows:
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx"
timeout="30"
protection="All"
requireSSL="true" />
</authentication>
</system.web>
</configuration>
Additionally, consider setting requireSSL="true" to ensure authentication cookies are only transmitted over HTTPS, further protecting against interception attacks. After making this change, test your authentication flow to ensure it functions correctly.