I'm reading about how to protect Forms Authentication and have som questions.
1)
When the authentication ticket is both encrypted and integrity checked, is there any reason to still use SSL? If I understand this correct, a hacker can't read the ticket's data in plaintext since it's encrypted, and modifying the data will throw an exception. So, why use SSL?
2)
When using cookieless authentication, is the ticket still integrity checked even when it's info is contained in the url? And is there any reason to use SSL with cookiesless authentication?