The HttpOnly attribute has been added to the Session cookie generated by ASP.NET 2.0. This value is hardcoded and cannot be changed via a setting in the application. While this is documented as a breaking change in the breaking changes document (linked
Read More...
In 1.1, we used the requireSSL attribute to ensure that the FormsAuthentication cookie has the secure attribute set. In 2.0, if you have requireSSL set, we'll remove the cookie from the incoming request if the web server receives the cookie over a non-secure
Read More...
