Currently I am using this in my web.config:

<sessionState mode="InProc" cookieless="UseCookies" timeout="60" />

My question is what is the difference between UseCookies and false in cookieless attribute? It is confusing for me.

From, http://msdn.microsoft.com/en-us/library/ms972429.aspx (2000, written in .NET 1.0)

Cookieless. The cookieless option for ASP.NET is configured with this simple Boolean setting.

Now, from: http://msdn.microsoft.com/en-us/library/aa479315.aspx (2005, written in .NET 2.0)

1. "UseCookies": As this name implies, the cookieless feature will never be used.
2. "UseUri": The cookieless feature will always be used.
3. "UseDeviceProfile": Depending on the browser making the request, the cookieless feature may or may not be used. If ASP.NET recognizes that the browser does not support cookies, then the cookieless feature will be used. Technically speaking, the two Boolean variables Request.Browser.Cookies and Request.Browser.SupportsRedirectWithCookie must both be true for ASP.NET to assume that cookies are supported by the browser.
4. "AutoDetect": In this setting, ASP.NET attempts to detect whether the browser supports cookies or not. The algorithm is a little complex, and I'll lay it out in pseudo code. (The algorithm is subject to change in future builds).

As we can see, this boolean mode "true" or "false" was probably deprecated

So if "false" and "true" values still work nowdays (for .NET framework 2.0 and above) I guess when you set "false" it assumes that will be used cookies for storing session identifier as UseCookies and "true" will assume that you don't want to store cookies as UseUri.