[WEB SECURITY] Classic ASP and HTTPOnly Cookies

Eric Jenko e.jenko at gmail.com
Fri Apr 11 14:38:05 EDT 2008

I've been trying to find some documentation (if any) on the forcing the
HTTPOnly cookie flag for classic ASP applications that do not run on the
.NET Framework.

As it is, everything I find and read involves either editing the
web.config/machine.config, or editing the global.asax file.  When I am am
working with the vendors/developers to secure these applications, they
respond that  "the sites are not running on .NET" and that they do not have
a global.asax or web.config file.

Any help would be definitely appreciated.

e.jenko at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080411/8288c52e/attachment.html>

More information about the websecurity mailing list