I am working on the security design for a new application at my company. We are using the Windows Identity Foundation framework.
I have a logon application that issues a token to a user who successfully authenticates. The token is then used to access the new application. Of course, this happens transparently to the user.
The WIF framework issues a page with some javascript including the data of the security token that identifies the authenticated user. The javascript instructs the users browser to post the security token data to the application.
There are two specific options for security's sake I'd like to mention.
Clearly, token encryption is of utmost importance. It is critically important that the application be able to recognize the security token as a valid security token from the logon application.
As for token encryption, I don't know exactly why I need this. The data in the security token simply identifies the user and provides an identifier for the user's session.
My question: Is there some intrinsic thing about security tokens that they need to be not only signed, but encrypted as well?