In the article The 80/20 Rule for Web Application Security, there is one security solution proposed to protect sensitive cookies: adding the httpOnly flag. This attribute prevents cookies from being accessed through client-side script, thus mitigating the risk of cross-site scripting.
All you have to do in ASP.NET 2.0 to take advantage of this security feature is to add the httpCookies element with the httpOnlyCookies attribute set to true to web.config:
<?xml version="1.0" encoding="utf-8"?><configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> <system.web> <httpCookies httpOnlyCookies="true"/> </system.web></configuration>
That's it - but you are still free to override this on a per-cookie basis.