Details
A session cookie associates session information with client information for that session, which can be the duration of a user’s connection to a site. The cookie is passed in a HTTP header together with all requests between the client and server.
Session information can also be stored in the URL. However, storing session information in this manner has security implications that can open attack vectors such as session hijacking. An effective method used to prevent session hijacking attacks is to force web applications to use cookies to store the session token. This is accomplished by setting the cookieless attribute of the sessionState node to UseCookies or False which will in turn keep session state data out of URI. It is recommended that session state be configured to UseCookies.
Cookies that have been properly configured help mitigate the risk of attacks such as session hi-jacking attempts by preventing ASP.NET from having to move session information to the URL; moving session information in URI causes session IDs to show up in proxy logs, and is accessible to client scripting via document.location.
Solution
SessionState can be set to UseCookies by using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, directly editing the configuration files, or by writing WMI scripts. Perform the following to set the cookieless attribute of the sessionState node to UseCookies in the IIS Manager GUI:
1. Open the IIS Manager GUI and navigate desired server, site, or application
2. In Features View, find and double-click the Session State icon
3. In the Cookie Settings section, choose Use Cookies from the Mode dropdown
4. In the Actions Pane, click Apply
To use AppCmd.exe to configure sessionState at the server level, the command would look like this:
%systemroot%system32inetsrvappcmd set config /commit:WEBROOT /section:sessionState /cookieless:UseCookies /cookieName:ASP.NET_SessionID /timeout:20
When Appcmd.exe is used to configure the
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.