Summary

Acunetix 360 detected that the cookieless session state is enabled inside of the ASP.NET application.

Impact

When an ASP.NET application is configured to use cookieless session state, it stores the authentication token in the page URLs rather than a cookie. This makes it easier for an attacker to perform session hijacking.

Actions To Take

Cookieless Forms Authentication is enabled within the machine.config file or the web.config file of your application by setting the new cookieless attribute. To disable cookieless session state, set cookieless attribute to “UseCookies”.

<configuration>

  <system.web>

    <authentication mode="Forms">

      <forms name=".ASPXAUTH"

             loginUrl="login.aspx"

             protection="All"

             timeout="30"

             path="/"

             requireSSL="false"

             slidingExpiration="true"

             defaultUrl="default.aspx"

             cookieless="UseCookies" />

    </authentication>

  </system.web>

</configuration>

Severity

Medium

Classification

CWE-16 OWASP 2013-A5 OWASP 2017-A6