I am facing a challenge forcing a vendor ASP.NET web site to use HttpOnly cookie. So far I’ve tried adding
<httpCookies httpOnlyCookies="true" />
to the web config with no success. The application is hosted under Framework 2.0 but there’s a chance that it was actually written in 1.1 – I don’t have that information available.
My understanding is that httpOnlyCookies=true is a default setting in ASP.NET 2.0 and cannot be turned off via config change - code needs to be written to override that setting. So, when using Fiddler2 I've noticed that HttpOnly is not being appended with or without <httpCookies httpOnlyCookies=true> entry in the config file.
Has anyone experienced this problem and can give me more insight into it? Changing code is not an option as it is a vendor application.
View Complete Post