I have tried to enable httpOnly cookies in my WSS 3.0 forms-authentication application using the web.config tag. A Cenzic Hailstorm security scan report claims that cookies are being produced with the flag off, including the .ASPXAUTH cookie, one related to Discovery.asmx, and one related to WSS_AccessibiltyFeature. Here are my questions:
- Is there some way the scan could be mistaken?
- Is there something I do not understand about how the cookies are created? Are these exempt from the httpOnly flag?
- Is there a way to verify myself that the cookies are coming out as httpOnly? I am aware of the Watcher add-on for Fiddler but I have had not been able to get that to work (I am communicating with the developer). Surely there is something else that can examine the cookie.
Actually, you can use Fiddler to look at the Raw source of your HTTP request. That should tell you about the httpOnly cookies.
See more about this here: http://www.codinghorror.com/blog/archives/001167.html