Using cookies to manage session state may help mitigate the risk of session hi-jacking attempts by preventing ASP.NET from having to move session information to the URL.

---

1. Open IIS Manager and navigate to the site, application, or virtual directory you want to configure for cookies.

2. In the IIS Section (Features View), double-click Authentication.

3. On the Authentication page, select Forms Authentication.

4. In the Actions pane, click Edit (Enable if neccessary).

5. In the Cookie settings section, select Use cookies from the Mode dropdown.

6. Confirm the cookieless attribute in the forms element is set to “UseCookies”.

< system.web>
< authentication>
< forms cookieless=”UseCookies” requireSSL=”true” timeout=”30″ />
</ authentication>
</ system.web>

---