ASP.NET cookieless authentication enabled (AcuSensor)

Description
  • Web applications configured to use cookieless authentication store the authentication token in the page URLs rather than a cookie. This makes the application more vulnerable to session hijacking attacks. Session hijacking is basically a form of identity theft wherein a hacker impersonates a legitimate user by stealing his session token. When the authentication token is transmitted in a cookie, and the request is made on a secure channel (that is, it uses SSL), the token is secure.
Remediation
  • To disable cookieless authentication, set the value of the cookieless attribute of the element to UseCookies.

    Example: