A Web Application Firewall (WAF), though still evolving, is crucial for strong application layer defense. Unfortunately, HTTP is a stateless protocol, and session management is addressed at the application layer and not at the protocol layer. It is possible to bridge WAF and session objects on the .NET platform to build a stateful WAF (SWAF).
Read Here