all, i have a .dsp application that is exposed to the internet, and is portected by ssl etc. However in penetration testing, i had a flaw where the cookie containing the session id is not encrypted and could be used for hijacking a session.
I think i need to set the “secure” and “HTTPOnly” attributes of the cookie that is generated by IS.
seems to have no effect, ie the cookie always conatains ssnid=… with no ;secure at the end
any ideas, or am I going in the worng direction