ASP MVC 3 cookie losing HttpOnly and Secure flags

Try this, looks like a similar issue. (How can I set the Secure flag on an ASP.NET Session Cookie?)

In the <system.web> element, add the following element:

<httpCookies requireSSL="true" />

However, if you have a <forms> element in your system.web\authentication block, then this will override the setting in httpCookies, setting it back to the default false.

In that case, you need to add the requireSSL="true" attribute to the forms element as well.

So you will end up with:

<system.web>
  <authentication mode="Forms">
    <forms requireSSL="true">
        /* forms content */
    </forms>
  </authentication>
</system.web>

It seems like this is all correct behaviour, I wrote another question specifically about the httponly client cookie behaviour, and that led to another post... what a rabbit hole.

What should be the correct behaviour of browser when sending and receiving httponly cookie via ajax?

Anyway that seems to indicate the server needs to keep tampering with the cookie to add the HttpOnly behaviour.

I have made a custom httpmodule which will check for the cookie in question and re-apply the desired behaviour to the cookie (based on configurations from the web.config)