I have a site running an application on which we have identified a vulnerability we wish to close. The CSS11501 is using the advance balance arrowpoint cookie method, however tests are showing that the HTTP only parameter is not set. I am unable to find a way of doing this at present. Does anyone know how to acheive this?
Until I can do so there is a remote possibilty I am leaving my application open to cross site scripting attacks.
Microsoft use the HTTPOnly cookie option which sets a HTTPOnly flag. he following url has some information for review.
Thanks in advance for your help.