Setting HTTPONLY for Classic Asp Session Cookie
Microsoft includes an example using an ISAPI filter to all outbound cookies: http://msdn.microsoft.com/en-us/library/ms972826 or URL rewriting could be used http://forums.iis.net/p/1168473/1946312.aspx <rewrite> <outboundRules> <rule name=”Add HttpOnly” preCondition=”No HttpOnly”> <match serverVariable=”RESPONSE_Set_Cookie” pattern=”.*” negate=”false” /> <action type=”Rewrite” value=”{R:0}; HttpOnly” /> <conditions> </conditions> </rule> <preConditions> <preCondition name=”No HttpOnly”> <add input=”{RESPONSE_Set_Cookie}” pattern=”.” /> <add input=”{RESPONSE_Set_Cookie}” pattern=”; HttpOnly” negate=”true” /> </preCondition> … Read more