ASP.NET 2.0 からセッション ID の HttpOnly 属性が有効になっている

ASP.NET 2.0 から HttpOnly 属性がサポートされ、セッション ID の HttpOnly 属性はデフォルトで有効になったようです。

Forms Authentication Cookies

HttpOnly. This property specifies whether the cookie can be accessed by client script. In ASP.NET 2.0, this value is always set to true.

Explained: Forms Authentication in ASP.NET 2.0

docs.microsoft.com

ASP.NET 2.0 and the new HTTP-only property

This property is already set by default for Authentication and Sessions cookies in ASP.NET 2.0 but not for manually issued cookies.

DevBlogs

Get the latest information, insights, announcements, and news from Microsoft.

devblogs.microsoft.com

実際に、ASP.NET 4.0 のレスポンスヘッダーを確認すると、HttpOnly 属性が有効になっていることが分かります。

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=naoxlnh3vp1pogerdc1oi4lz; path=/; HttpOnly
X-Powered-By: ASP.NET
X-Frame-Options: DENY
Date: Thu, 28 Feb 2013 06:20:02 GMT
Content-Length: 1069