Using IIS Rewrite to add HttpOnly Flag To Cookies Not Working

Question

I found numerous examples of adding the HttpOnly to my cookies but it does not work for me and I am not sure why. All the examples I found were the same and I copied this one from one of the posts that I had found. I am using .NET 3.5 under IIS 7.0. Hopefully someone can tell me what I am doing wrong? Thanks

<rewrite>
  <outboundRules>
    <rule name="Add HttpOnly" preCondition="No HttpOnly">
      <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
      <action type="Rewrite" value="{R:0}; HttpOnly" />
      <conditions>
      </conditions>
    </rule>
    <preConditions>
      <preCondition name="No HttpOnly">
        <add input="{RESPONSE_Set_Cookie}" pattern="." />
        <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
      </preCondition>
    </preConditions>
  </outboundRules>
</rewrite>

UPDATE

I figured out how to turn on tracing and found that the preCondition is looking at all the cookies as a whole instead of each individual cookie.

So instead of evaluating

Set-Cookie: myC5=we have S Cookie; path=/; secure
Set-Cookie: myC6=we have S Cookie; path=/; secure
Set-Cookie: myC7=we have S Cookie; path=/; secure; HttpOnly

It is evaluating

myC5=we have S Cookie; path=/; secure,myC6=we have S Cookie; path=/; secure,myC7=we have S Cookie; path=/; secure; HttpOnly

Since the whole string has ; HttpOnly in it, the preCondition fails.

How do I get past this? Any ideas?

Answer 1

I finally got pass this so I wanted to post for others that might run into this. I removed my preConditions and just used conditions. I then had to use the back reference to get to the single cookie.

    <rewrite>
        <outboundRules>
            <rule name="Add HttpOnly">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
                <conditions>
                    <add input="{R:0}" pattern="; HttpOnly" negate="true" />
                </conditions>
                <action type="Rewrite" value="{R:0}; HttpOnly" />
            </rule>
            <rule name="Add Secure">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
                <conditions>
                    <add input="{R:0}" pattern="; Secure" negate="true" />
                </conditions>
                <action type="Rewrite" value="{R:0}; Secure" />
            </rule>
        </outboundRules>
    </rewrite>

Hope this helps someone in the future.