In my ASP.NET MVC 4 application I use a third-party service. And one of the service's terms of use is adding to all session cookies HttpOnly and Secure attributes.
WebSite hosted on Windows Azure and works on SSL.
I added to root web.config the following settings:
<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true"/>
<authentication mode="Forms">
<forms loginUrl="~" timeout="2880" requireSSL="true" />
</authentication>
So now my application session cookie ".ASPXAUTH" has HttpOnly and Secure attributes.
But the main problem that Azure Balancer "WAWebSiteSID" and "ARRAffinity" cookies don't have this attributes.
Could you help me to find appropriate solution to add missing attributes to them?
I don't believe you can modify the secure and HttpOnly attributes as the cookies are added to the response downstream of the app (i.e. by a load balancing appliance that sits in front of the site).
Of course the pragmatic question is "why"? What advantage would you gain by not allowing client script or an MitM on the wire to access these cookies? They're nothing more than bytes of data intended to tie clients to site instances and contain nothing of a personal nature nor provide any conceivable upside for an attacker (at least not that I can think of).
The answer is probably "because it keeps a security scanning tool happy" which may make you feel warm and fuzzy, but of course it doesn't actually change the practical security position of the site one iota.