How exactly do you configure httpOnlyCookies in ASP.NET?
Inspired by this CodingHorror article, "Protecting Your Cookies: HttpOnly"
How do you set this property? Somewhere in the web config?
If you're using ASP.NET 2.0 or greater, you can turn it on in the Web.config file. In the <system.web> section, add the following line:
<httpCookies httpOnlyCookies="true"/>
With props to Rick (second comment down in the blog post mentioned), here's the MSDN article on httpOnlyCookies.
Bottom line is that you just add the following section in your system.web section in your web.config:
<httpCookies domain="" httpOnlyCookies="true|false" requireSSL="true|false" />