Synopsis
You’re using HAProxy or the ALOHA Load-Balancer to load-balance IIS 6.0 web applications and you want them to pass the successfully PCI compliance test.
One of the pre-requisite is to force the cookie to be “HttpOnly”, in order to tell the browser to use this cookie for HTTP requests only, and “protect” it from local javascript access (to steal session information).
Unfortunately, II 6.0 is not able to setup such cookies. That’s why HAProxy can be used to update the cookie on the fly, when setup by the application server.
Rewriting Appsession Cookie with HAProxy
Place the configuration line below in your backend configuration:
rspirep ^Set-Cookie: (appsession.*) Set-Cookie: 1; HttpOnly
Now, your application is “more” secured… Well, at least, you can successfully pass the PCI compliancy tests!