ASP.NET Cookieless session state enabled
Description
Web applications configured to use cookieless session state store the session token in the page URLs rather than a cookie. This makes the application more vulnerable to session hijacking attacks. Session hijacking is basically a form of identity theft wherein a hacker impersonates a legitimate user by stealing his session token. When the session token is transmitted in a cookie, and the request is made on a secure channel (that is, it uses SSL), the token is secure.
Remediation
To disable cookieless session state, set the value of the <strong>cookieless</strong> attribute of the <sessionState> element to <strong>UseCookies</strong>.<br/><br/>Example: <sessionState cookieless="UseCookies">