all, i have a .dsp application that is exposed to the internet, and is portected by ssl etc. However in penetration testing, i had a flaw where the cookie containing the session id is not encrypted and could be used for hijacking a session.

I think i need to set the “secure” and “HTTPOnly” attributes of the cookie that is generated by IS.

Does anyone have any experience of this area, i have tried to set this in javascript, but cannot get the documnet.cookie= to change the cookie at all. Basically this javascript in an initial redirect page:

seems to have no effect, ie the cookie always conatains ssnid=… with no ;secure at the end

any ideas, or am I going in the worng direction

thanks
graham