HTTP Secure Cookie Directive setting

[kapil assudani <kapil.assudani () yahoo com>]

Hi ,

I'd like to know configuration of HTTP Secure Flag setting in the following scenario:

IIS Web Server<-----http(80)--------->Alteon Switch SSL Accelerator/Offloader<------ssl(443)----------->Client

So here in this case a client browser is actually negotiating SSL with the SSL accelerator box which is obviously put 
in place for imporving performance and offload ssl handhsake/processing off of the web server.  So all the traffic from 
SSL Accelarator/Offloader to the web server is not encrypted and http. And all the SSL communication is between the 
client and the switch and gets terminated there.

The client has set all configurations on the IIS Webserver for setting ASPSESSION cookies with Secure directive as 
directed on MSDN and since the SSL is terminating at the alteon switch accelerator, the cookie eventually is not set 
"Secure" .

I was wondering if anybody knows of a work around for this in order to enable the Secure Directive in this scenario 
from the server side?

Thanks

SecN3rd




 
____________________________________________________________________________________
Now that's room service!  Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
http://farechase.yahoo.com/promo-generic-14795097

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------