Setting cookie with ssnid to secure

all, i have a .dsp application that is exposed to the internet, and is portected by ssl etc. However in penetration testing, i had a flaw where the cookie containing the session id is not encrypted and could be used for hijacking a session.

I think i need to set the “secure” and “HTTPOnly” attributes of the cookie that is generated by IS.

Does anyone have any experience of this area, i have tried to set this in javascript, but cannot get the documnet.cookie= to change the cookie at all. Basically this javascript in an initial redirect page:

seems to have no effect, ie the cookie always conatains ssnid=… with no ;secure at the end

any ideas, or am I going in the worng direction


This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.