I found numerous examples of adding the HttpOnly to my cookies but it does not work for me and I am not sure why. All the examples I found were the same and I copied this one from one of the posts that I had found. I am using .NET 3.5 under IIS 7.0. Hopefully someone can tell me what I am doing wrong? Thanks
<rewrite> <outboundRules> <rule name="Add HttpOnly" preCondition="No HttpOnly"> <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" /> <action type="Rewrite" value="{R:0}; HttpOnly" /> <conditions> </conditions> </rule> <preConditions> <preCondition name="No HttpOnly"> <add input="{RESPONSE_Set_Cookie}" pattern="." /> <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" /> </preCondition> </preConditions> </outboundRules> </rewrite> UPDATE
I figured out how to turn on tracing and found that the preCondition is looking at all the cookies as a whole instead of each individual cookie.
So instead of evaluating
Set-Cookie: myC5=we have S Cookie; path=/; secure Set-Cookie: myC6=we have S Cookie; path=/; secure Set-Cookie: myC7=we have S Cookie; path=/; secure; HttpOnly It is evaluating
myC5=we have S Cookie; path=/; secure,myC6=we have S Cookie; path=/; secure,myC7=we have S Cookie; path=/; secure; HttpOnly Since the whole string has ; HttpOnly in it, the preCondition fails.
How do I get past this? Any ideas?