Setting HTTPONLY for Classic Asp Session Cookie

Question

Does anyone know exactly how to set HTTPONLY on classic ASP session cookies?

This is the final thing that\'s been flagged in a vulnerability scan and needs fixing AS

Answer 1

If you have IIS7 + you need to make sure the URL Rewrite module is installed. You can install it with the Web Platform Installer. The Web Platform Installer can be found in the features view for your website. You need to run IIS Manager as administrator.

Click on the Web Platform Installer in the features view for your website:

Maker sure the URL Rewrite Server Product is installed. If it isn't, then install it.

With the URL Rewrite Server Product installed, you can use the URL Rewrite Feature on your website to add a rule to add HttpOnly for your Session ID cookies.

You should see, if it doesn't already exist, a web.config file created for your ASP site. it will have the following contents:

If you use Firebug in Firefox to inspect your cookies, you should now see the HttpOnly flag set: