2.4 Ensure 'forms authentication' is set to use cookies - Not Enabled

Information

Forms Authentication can be configured to maintain the site visitor's session identifier in either a URI or cookie. It is recommended that Forms Authentication be set to use cookies.

Using cookies to manage session state may help mitigate the risk of session hi-jacking attempts by preventing ASP.NET from having to move session information to the URL. Moving session information identifiers into the URL may cause session IDs to show up in proxy logs, browsing history, and be accessible to client scripting via document.location.

NOTE: This requires the .Net Extensibility or ASPNET component, but neither component was found.

See Also

https://workbench.cisecurity.org/files/165