Hi Guys
Been scratching my head on this one for a couple of days now and not sure what to do. We had external company do some pen testing and there is one cookie that is being flagged as non secure because it has no HttpOnly or Secure Flag on it. The cookie in question is 51D - I think it's related to the 51 Degrees module for resizing the website for phone/tablet/desktop versions.
However, in the web.config I have already amended the following attributes for cookies.... httpOnlyCookies="true" requireSSL="true"
I think the settings in web.config are only "available" to the .NET code which is running on the website. If the 51 Degrees module isn't a "core" part of the .NET application and is just JavaScript executed in the browser, then it's totally possible that those settings aren't used.
I don't know what I can do to resolve this?
Any thoughts or suggestions? Sites are running on IIS 8.5
Thanks a lot