ASP.NET Cookieless session state enabled
Description
This application is configured to use cookieless session state, which embeds session identifiers directly in URLs instead of storing them in HTTP cookies. When session tokens appear in URLs, they become visible in browser history, server logs, referrer headers, and can be inadvertently shared through bookmarks or copy-pasted links. This significantly increases the risk of session hijacking attacks, where an attacker gains unauthorized access to a user's session by obtaining their session token through these exposed channels.
Remediation
Configure the application to use cookie-based session state instead of cookieless sessions. Modify the web.config file to set the cookieless attribute of the <sessionState> element to UseCookies or UseDeviceProfile (which uses cookies for devices that support them).
Recommended configuration:
<configuration>
<system.web>
<sessionState cookieless="UseCookies" />
</system.web>
</configuration>After making this change, ensure that session cookies are configured with appropriate security attributes by setting httpOnlyCookies="true" and requireSSL="true" (if using HTTPS) in the <httpCookies> element:
<httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="Strict" />
Test the application thoroughly after implementing these changes to ensure session management functions correctly across all supported browsers and devices.