Sensitive data that is transmitted using HTTP is vulnerable to being read by a third party. By default, web forms and cookies are sent via HTTP, not HTTPS. This setting can be changed by setting the requireSSL attribute to "true" in Web.config.

When using web forms, ensure that Web.config contains a <forms> element with the attribute requireSSL="true".

When using cookies, ensure that SSL is used, either via the <forms> attribute above, or the <httpCookies> element, with the attribute requireSSL="true". It is also possible to require cookies to use SSL programmatically, by setting the property System.Web.HttpCookie.Secure to true.

The following example shows where to specify requireSSL="true" in a Web.config file.

MSDN: HttpCookie.Secure Property, FormsAuthentication.RequireSSL Property, forms Element for authentication, httpCookies Element.