From everything I've read online, a web.config like this should enable HttpOnly cookies, in ASP.NET 2.0. However this is not working.
<configuration>
<system.web>
<httpCookies httpOnlyCookies="true" />
</system.web>
...
</configuration>
Is there something else I'm missing? I've seen many posts on this subject, but the cookies will not show up as HttpOnly (or secure, if I add the requireSSL="true" to the tag).
I'm using IIS 7.0.
Edit:
I'm trying to set this in the web.config at the root level to cover all cookies. I'm looking at the cookies in Firebug on the ASP page and the 'HttpOnly' section that should have green text saying 'HttpOnly' is empty for some of them.
Example: