You’re using HAProxy or the ALOHA Load-Balancer to load-balance IIS 6.0 web applications and you want them to pass successfully PCI compliance test.
Unfortunately, II 6.0 is not able to setup such cookies. That’s why HAProxy can be used to update the cookie on the fly, when setup by the application server.
Rewriting appsession Cookie with HAProxy
Place the configuration line below in your backend configuration:
rspirep ^Set-Cookie:\ (appsession.*) Set-Cookie:\ \1;\ HttpOnly
Now, you’re application is “more” secured… Well, at least, you can successfully pass the PCI compliancy tests!