Pentesting ASP.NET Cookieless Sessions with Burp

Carrie Roberts & Brian King // We were recently testing a web application that used ASP.NET cookieless sessions. This meant that the session token was part of the URL as shown in the example below. In this case, the session token is of the form (S(LongRandomToken), where LongRandomToken is a long, randomly generated alpha-numeric […]

Read the entire post here