Last post Sep 08, 2009 01:08 PM by tlohrbeer
Mar 28, 2006 03:17 PM|LearningSecurity|LINK
Apr 02, 2006 03:50 AM|markberr|LINK
Sep 08, 2009 01:08 PM|tlohrbeer|LINK
Please enable this as a setting in future versions of ASP.Net. This setting breaks applications that require access to the session cookie to enforce security. I appreciate Microsoft's new focus on security consciousness, but this should mean good defaults,
not blocking configuration altogether.
For us, the problem is that these cookies are being blocked so Java applets cannot access them. So any pages accessed by a Java applet get redirected to the login page. I suspect the same problem appears in other plugins which connect back to the server
to retrieve data. The workaround is to either make the data access pages anonymous, which is a huge security hole, or turning off the HttpOnly flag on session cookies using a hack.
For those needing a workaround that turns the HttpOnly flag off for session cookies, see: