ASP.NET cookieless authentication enabled
Description
This vulnerability occurs when an ASP.NET application is configured to use cookieless authentication, which embeds authentication tokens directly in URLs instead of storing them in HTTP cookies. When authentication tokens are transmitted via URL parameters, they become visible in browser history, server logs, referrer headers, and can be easily shared or bookmarked. This exposure significantly increases the risk of session hijacking attacks, where an attacker can steal and reuse a legitimate user's session token to impersonate them. Unlike cookie-based authentication over HTTPS, cookieless authentication cannot leverage secure transport protections to prevent token exposure.
Remediation
Disable cookieless authentication by configuring the application to use cookie-based authentication tokens. Modify the web.config file to set the cookieless attribute of the <forms> element to UseCookies.
Configuration Example:
<configuration>
<system.web>
<authentication mode="Forms">
<forms cookieless="UseCookies"
requireSSL="true"
protection="All" />
</authentication>
</system.web>
</configuration>Additionally, ensure that requireSSL="true" is set to enforce HTTPS-only transmission of authentication cookies, and set protection="All" to enable both encryption and validation of the authentication token. After making these changes, restart the application and verify that authentication tokens are no longer visible in URLs.