>Not required - but less secure without ?
Yes, if you want to add that layer, it will be more secure. Note that this will mathematically be a little bit slower but not something visible to the user. But, the cookie will travel transparently over that layer as well. So, it doesn't change anything but to configure the IIS port and so might be the firewall.
>Don't you have to authenticate before issuing the cookie IAC ?
Yes, exactly, that is the first step. Once authenticated, you generate a cookie in the response. Then, it will live, at minimum, during the session (that implies for as long as the browser remains opened). You can also set the cookie for a duration date, thus passing it an expiration date, which will make it sits somewhere on the PC browser configuration related files. Note that this applies if the browser does not block the cookies. Which is a real ... during these days. See this links about some documentation about issues I have to rely the users to from time to time:
http://www.levelextreme.com/ViewPageGenericCookieVerification.aspx