Setting Secure and HTTPOnly Flag for Session Generated Cookie in Classic ASP Website Running on IIS 6.0

The ASP Session Cookie can not be modified by Classic ASP code, so for IIS 6 you would need to have ISAPI module rewrite the cookies.

Setting HTTPONLY for Classic Asp Session Cookie

http://msdn.microsoft.com/en-us/library/ms972826

Client side JavaScript workaround

http://ko-lwin.blogspot.com/2010/12/how-to-secure-classic-asp-session-id.html