From: Ryan Barnett <Ryan.Barnett@Breach.com> - 2008-12-21 15:45:16
I posted this Blog entry on Friday and thought I would notify the list -
At the end of the post, there are two sets of rules -
1) To identify and SessionID Set-Cookie response headers that do NOT have the HTTPOnly flag set, and
2) Taking this to the next step, the rules show how you can use ModSecurity's "setenv" action to set an ENV token that Apache can use with the Header directive to add the HTTPOnly flag on the fly.
Ryan C. Barnett
Director of Application Security
Breach Security, Inc.