The contents of unprotected cookies could be viewed or modified by attackers.
Cookies are often used to store important information about users, such as personal information, authentication tokens and a history of their activity. If this information is stored in plaintext, anyone with access to machines used to interact with the application will have access to the information stored in the cookie. Worse yet, if attackers are allowed to arbitrarily modify the data stored in cookies, they can falsify information provided to the application and potentially alter its behavior to their advantage.
In many cases, an application can validate input from cookies programmatically according to the context in which it is used, but the ASP.NET validation framework provides an excellent way to both protect the contents of the cookie and to verify that the cookie has not been modified unexpectedly. Without this approach, it is difficult, and often impossible, to establish with a high level of confidence that all input is validated.
[1] .NET Framework General Reference: forms Element Microsoft Corporation
[2] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A10 Insecure Configuration Management
[3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A9 Insecure Communications
[4] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A9 Insufficient Transport Layer Protection
[5] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3210.1 CAT II
[6] Standards Mapping - FIPS200 - (FISMA) CM, SC
[7] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 565
[8] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 4.1, Requirement 6.5.10
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 4.1, Requirement 6.5.4