3.6 Ensure 'httpcookie' mode is configured for session state

Information

A session cookie associates session information with client information for that session, which can be the duration of a user's connection to a site. The cookie is passed in a HTTP header together with all requests between the client and server.

Session information can also be stored in the URL. However, storing session information in this manner has security implications that can open attack vectors such as session hijacking. An effective method used to prevent session hijacking attacks is to force web applications to use cookies to store the session token. This is accomplished by setting the cookieless attribute of the sessionState node to UseCookies or False which will in turn keep session state data out of URI. It is recommended that session state be configured to UseCookies.

Rationale:

Cookies that have been properly configured help mitigate the risk of attacks such as session hi-jacking attempts by preventing ASP.NET from having to move session information to the URL; moving session information in URI causes session IDs to show up in proxy logs, and is accessible to client scripting via document.location.

Solution

SessionState can be set to UseCookies by using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, directly editing the configuration files, or by writing WMI scripts. Perform the following to set the cookieless attribute of the sessionState node to UseCookies in the IIS Manager GUI:

Open the IIS Manager GUI and navigate desired server, site, or application

In Features View, find and double-click the Session State icon

In the Cookie Settings section, choose Use Cookies from the Mode dropdown

In the Actions Pane, click Apply

To use AppCmd.exe to configure sessionState at the server level, the command would look like this:

%systemroot%\system32\inetsrv\appcmd set config /commit:WEBROOT /section:sessionState /cookieless:UseCookies /cookieName:ASP.NET_SessionID /timeout:20

When Appcmd.exe is used to configure the <sessionstate> element at the global level in IIS, the /commit:WEBROOT switch must be included so that configuration changes are made to the root web.config file instead of ApplicationHost.config.

See Also

https://workbench.cisecurity.org/benchmarks/14293

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: bcbd099c48d70b2490421bb8f4d29fec14748982da12ebbc19432658f6ce0151