Information
Using cookies to manage session state may help mitigate the risk of session hi-jacking attempts by preventing ASP.NET from having to move session information to the URL. Moving session information identifiers into the URL may cause session IDs to show up in proxy logs, browsing history, and be accessible to client scripting via document.location.
Solution
Open IIS Manager and navigate to the level where Forms Authentication is enabled In Features View, double-click Authentication On the Authentication page, select Forms Authentication In the Actions pane, click Edit In the Cookie settings section, select Use cookies from the Mode dropdown