To secure cookie in an environment without load balancer, simply add or configure httpCookie element in web.config file under <system.web> <httpCookies requireSSL="true" httpOnlyCookies="true"/> For form authentication cookie, simply add requireSSL="true" in <forms> element <forms name="authCookie" loginUrl="login.aspx" timeout="20" requireSSL="true" /> However, if there are load balancer exist and the certificate is deployed on load balancer, the actual web site is only http, configuring as above will not work. In order for it to work, you have to keep the httpCookie configuration the same as above, but change the requreSSL attribute in <forms> element to false. In addition, in your code that creates the authentication cookie, make sure not set the "Secured" property (You can not set it to true nor false).