ASP Session Cookies Removal

Question

Using the following web.config file properties I am not able to have my site either remove a session cookie or force the cookie to use HTTPOnly. I am using a basic classic asp website with the below configuration in my web.config file

<configuration>
  <system.web>
  <httpCookies httpOnlyCookies="true" />
  <sessionState mode="Off" cookieless="true"/>
  </system.web>
</configuration>

I have tried to use the following outbound rule to rewrite the URL however when the site gets scanned using Qualys it does not rewrite the cookie before the website is scanned. Here is the below property code that is not working:

 <outboundRules>
    <rule name="Add HttpOnly" preCondition="No HttpOnly">
        <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
        <action type="Rewrite" value="{R:0}; HttpOnly" />
        <conditions>
        </conditions>
    </rule>
    <preConditions>
        <preCondition name="No HttpOnly">
            <add input="{RESPONSE_Set_Cookie}" pattern="." />
            <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
        </preCondition>
    </preConditions>
</outboundRules> 

Answer 1

You could always ask the client to 'kill' the cookie (with code attached below) and hope it does so. If this doesn't happen, it could be that there is a bug on the client side or that a user has copied the cookie out of the browser before the expiration, and copies it back in. Anyway... If you can't find a fix, the workaround would be to kill the cookie EVERYTIME you use it.

HttpCookie cookieToKill= new HttpCookie(cookieName);
cookieToKill.Expires = DateTime.UtcNow.AddDays(-1); //any negative value will do)
Response.Cookies.Add(cookieToKill);