Description

Web applications configured to use cookieless authentication store the authentication token in the page URLs rather than a cookie. This makes the application more vulnerable to session hijacking attacks. Session hijacking is basically a form of identity theft wherein a hacker impersonates a legitimate user by stealing his session token. When the authentication token is transmitted in a cookie, and the request is made on a secure channel (that is, it uses SSL), the token is secure.

Remediation

To disable cookieless authentication, set the value of the cookieless attribute of the <forms> element to UseCookies.

Example: <forms cookieless="UseCookies">

References

Related Vulnerabilities