Web applications configured to use cookieless session state store the session token in the page URLs rather than a cookie. This makes the application more vulnerable to session hijacking attacks. Session hijacking is basically a form of identity theft wherein a hacker impersonates a legitimate user by stealing his session token. When the session token is transmitted in a cookie, and the request is made on a secure channel (that is, it uses SSL), the token is secure.


To disable cookieless session state, set the value of the cookieless attribute of the <sessionState> element to UseCookies.

Example: <sessionState cookieless="UseCookies">

Related Vulnerabilities