Description

Web applications configured to use cookieless session state store the session token in the page URLs rather than a cookie. This makes the application more vulnerable to session hijacking attacks. Session hijacking is basically a form of identity theft wherein a hacker impersonates a legitimate user by stealing his session token. When the session token is transmitted in a cookie, and the request is made on a secure channel (that is, it uses SSL), the token is secure.

Remediation

To disable cookieless session state, set the value of the cookieless attribute of the <sessionState> element to UseCookies.

Example: <sessionState cookieless="UseCookies">

Related Vulnerabilities

Symfony debug mode enabled (AcuSensor)

Active Mixed Content over HTTPS

Tornado weak secret key

Insecure Transportation Security Protocol Supported (TLS 1.0)

JBoss ServerInfo MBean

Severity

Medium

Classification

CWE-598 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration