I found many examples of adding HttpOnly to my cookies, but it does not work for me, and I'm not sure why. All the examples that I found were the same, and I copied this from one of the posts I found. I am using .NET 3.5 in IIS 7.0. Hope someone can tell me what I'm doing wrong? Thanks
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
UPDATE
I figured out how to enable tracking and found that preCondition considers all cookies in general, instead of each individual cookie.
So, instead of evaluating
Set-Cookie: myC5=we have S Cookie; path=/; secure
Set-Cookie: myC6=we have S Cookie; path=/; secure
Set-Cookie: myC7=we have S Cookie; path=/; secure; HttpOnly
He appreciates
myC5=we have S Cookie; path=/; secure,myC6=we have S Cookie; path=/; secure,myC7=we have S Cookie; path=/; secure; HttpOnly
Since the whole line has; HttpOnly in it, preCondition fails.
How do I get past this? Any ideas?