Developing Web Applications today - learnt about ASP.NET - code-behind of VB.NET. Was really interesting.

Classmate asked a question about how ASP.NET stores session state. Piqued my interest as I've successfully performed session hijacking proof-of-concept on a ASP classic page. ASP classic simply stores a session cookie, and simple javascript will be able to access it. (type javascript:alert(document.cookie) as a url)

Didn't work for a asp.net app I knocked up,however (*insert sad face here*). A bit of searching revealed that asp.net uses HttpOnly cookies, which means that the cookie cannot be read clientside (ie. via javascript - no wonder javascript:alert(document.cookie) turned out blank).

Apparently, HttpOnly cookies are sent with the headers with a XMLHttpRequest request though. Interesting vector :D

And cookieless sessions via url is one of the stupidest idea I've heard in a long time. For chrissakes just use a hidden form?