Compress Entire Response, Except Cookies

Question

How do I tell ASP.Net to compress the Response, but not the Cookies in the Response? So all the HTML output, but not the cookies.

Background: BREACH

The BREACH Attack remains unsolved. It works against TLS-secured, gzip-compressed responses, that contain a secret.

Any site where you're logged-in ought to have HTTPS-enabled, and is going to keep on sending back in its response a cookie that has the perfect secret for an attacker to target, since if they can get it they've got your token and can masquerade as you.

There's no satisfactory solution to this but one strong mitigation is to compress the secrets separately or not at all, from the rest of the response. Another is to include a CSRF token. For pages that display the result of submitting form data, CSRF token is fine since we need to do this anyway, and caching isn't so important performance-wise. But for static pages we need to be able to cache which makes the weight of CSRF token too much.

If we could just tell ASP.Net not to compress the cookie, the only secret in those responses, we'd be good to go:

• Caching works on the static pages that need it
• HTTPS and gzip get to be in play at the same time, with gzip switched off for just that little bit of the response
• BREACH is dead

So, is this possible and if so how? I'm fine even with something like a HttpModule that does the gzip step so long as it doesn't get you a corrupt response.

Some kind of patch or module that just separates the gzip compression contexts (the main proposed solution to BREACH) would be even better, but that seems like asking too much.

Note that there seems to be conflict in the security community as to whether BREACH can be used to get at cookies/session tokens in the first place:

It can. It can't.