2.4 Ensure 'forms authentication' is set to use cookies - Default

Information

Forms Authentication can be configured to maintain the site visitor's session identifier in either a URI or cookie. It is recommended that Forms Authentication be set to use cookies.

Rationale:

Using cookies to manage session state may help mitigate the risk of session hi-jacking attempts by preventing ASP.NET from having to move session information to the URL. Moving session information identifiers into the URL may cause session IDs to show up in proxy logs, browsing history, and be accessible to client scripting via document.location.

Impact:

Site visitor's session identifier will be stored via cookies.

Solution

Open IIS Manager and navigate to the level where Forms Authentication is enabled

In Features View, double-click Authentication

On the Authentication page, select Forms Authentication

In the Actions pane, click Edit

In the Cookie settings section, select Use cookies from the Mode dropdown

OR

Enter the following command in AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd set config -section:system.web/authentication /forms.cookieless:'UseCookies'

OR

Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site' -filter 'system.web/authentication/forms' -name 'cookieless' -value 'UseCookies'

Default Value:

The default setting for Cookie Mode is Auto Detect which will only use cookies if the device profile supports cookies.

See Also

https://workbench.cisecurity.org/benchmarks/13949

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-8, CSCv7|18

Plugin: Windows

Control ID: f18a4c851699f4c1f20120c1de19fb2204c037092fb2d6828b7a97f4cd0d5a7a