The ASP.Net_SessionID cookie is httponly. While this is good for security, it's bad for webgoat. It would be nice to be able to demonstrate cookie stealing with the XSS attacks. Let's set it to not be that way initially, and part of the job of fixing webgoat is to change it to be httponly.

Should be working. HttpOnlyCookies is now set to false.

edit: should be now and not not!

HttpOnlyCookies should be false in order to be accessed by javascript and therefore be available for stealing. If HttpOnlyCookies is True, then javascript cannot access it.

EDIT: I think you meant now, instead of not - so nevermind.

Sorry, typo on my part. Should say is NOW set to false.

<httpCookies httpOnlyCookies="false"/>