Recently had a PCI compliance scan on server running SBS 2011 fail due to following errors:
1) Missing Secure Flag From SSL Cookie
2) Missing HttpOnly Flag From Cookie
I came across a previous similar question that was answered by Xiu Zhang with an answer of "it cannot be changed" and "it is by design". I also ran across another article elsewhere, where an individual apparently successly set these flags by placing the line
<httpCookieshttpOnlyCookies="true"requireSSL="true"/>
in the web.config file for OWA. This however broke OWA in my case, as in the case of the previous question.
The bottom line is that the ASV will only give me an exception "if you can confirm that the cookies missing this flag are only used before authenticating and that they do not contain sensitive data". This essentially means I need either some documentation or semi-official confirmation from someone at Microsoft that this is the case.
Timothy J Walsh