I compiled the Microsoft's ISAPI filter example. This solved my problem.

The ISAPI DLL is here

Feel free to download.

Response.AddHeader "Set-Cookie", "CookieName=CookieValue; path=/; HttpOnly" 

Source: http://www.asp101.com/tips/index.asp?id=160

Microsoft includes an example using an ISAPI filter to all outbound cookies: http://msdn.microsoft.com/en-us/library/ms972826

or URL rewriting could be used http://forums.iis.net/p/1168473/1946312.aspx

<rewrite>
        <outboundRules>
            <rule name="Add HttpOnly" preCondition="No HttpOnly">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
                <action type="Rewrite" value="{R:0}; HttpOnly" />
                <conditions>
                </conditions>
            </rule>
            <preConditions>
                <preCondition name="No HttpOnly">
                    <add input="{RESPONSE_Set_Cookie}" pattern="." />
                    <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
                </preCondition>
            </preConditions>
        </outboundRules>
    </rewrite>

Setting the ASP session cookie as HttpOnly can be done in web.config using URLrewrite:

<rewrite>
    <outboundRules>
        <rule name="Secure ASP session cookie">
            <match serverVariable="RESPONSE_Set_Cookie" pattern="ASPSESSIONID(.*)" negate="false" />
            <!--<action type="Rewrite" value="ASPSESSIONID{R:1}; HttpOnly; Secure" />-->
            <action type="Rewrite" value="ASPSESSIONID{R:1}; HttpOnly" />
        </rule> 
    </outboundRules>
</rewrite>

It's also possible to use URLrewrite to make all cookies HttpOnly / Secure, but sometimes you need cookies to be readable in JavaScript, so here's a collection of functions and sub routines I wrote a while ago for creating regular cookies that can enable or disable "HttpOnly" and "Secure":

' *********************************************************************************************************
' Set a cookie
' *********************************************************************************************************

sub set_cookie(cookie_name,cookie_value,cookie_path,http_only,secure,expire)

    Dim cookie_header, split_expire, expire_value

    ' Set the cookie name and value. The value must be URL encoded.

    cookie_header = cookie_name & "=" & server.URLEncode(cookie_value) & "; "

    ' To set cookies that can be accessed by sub domains, you need to specify the domain as
    ' ".mydomain.com". If no domain is specified then the cookie will be set as "host only",
    ' and only be accessible to the domain it was set on. Un-comment to disable host only:

    'cookie_header = cookie_header & "Domain=.mydomain.com; "

    ' Check the expire value for a specific expiry length (e.g; "1 year")
    ' For session cookies, the expiry should be set to null.

    if NOT isDate(expire) AND NOT isNull(expire) then

        ' Remove any double spaces and trim the value.

        expire = replace(expire,"  "," ")
        expire = trim(expire)

        ' Split on space to separate the expiry value from the expiry unit.

        split_expire = split(expire," ")

        ' A uBound value of 1 is expected

        if uBound(split_expire) = 1 then

            expire_value = split_expire(0)
            if NOT isNumeric(expire_value) then exit sub
            expire_value = int(expire_value)

            select case lCase(split_expire(1))

                case "minute","minutes"
                    expire = DateAdd("n",expire_value,Now())
                case "hour","hours"
                    expire = DateAdd("h",expire_value,Now())
                case "day","days"
                    expire = DateAdd("d",expire_value,Now())
                case "week","weeks"
                    expire = DateAdd("ww",expire_value,Now())
                case "month","months"
                    expire = DateAdd("m",expire_value,Now())
                case "year","years"
                    expire = DateAdd("yyyy",expire_value,Now())
                case else
                    ' unknown expiry unit, exit sub
                    exit sub
            end select

        else

            ' Unexpected uBound. This means no space was included when specifying the expiry length
            ' or multiple spaces were included. 

            exit sub

        end if

    end if

    ' Set the expiry date if there is one. If the expiry value is null then no expiry date will be set and 
    ' the cookie will expire when the session does (a session cookie).

    ' The expiry date can only be UTC or GMT. Be sure to check your servers timezone and adjust accordingly.

    if isDate(expire) then

        ' The cookie date needs to be formatted as:
        ' WeekDayName(shortened), day-monthName(shortened)-year timestamp(00:00:00) GMT/UTC

        expire = cDate(expire)
        cookie_header = cookie_header & "expires=" &_ 
        weekday_name(WeekDay(expire),true) & ", " &_ 
        ZeroPad(Day(expire)) & "-" &_ 
        month_name(Month(expire),true) & "-" &_ 
        year(expire) & " " &_ 
        timeFromDate(expire) & " UTC; "

    end if

    cookie_header = cookie_header & "path=" & cookie_path & "; "

    ' HttpOnly means cookies can only be read over a HTTP (or HTTPS) connection.
    ' This prevents JavaScript from being able to read any cookies set as HttpOnly.
    ' HttpOnly should always be used unless you're setting a cookie that needs to
    ' be accessed by JavaScript (a CSRF token cookie for example).

    if http_only then
        cookie_header = cookie_header & "HttpOnly; "
    end if

    ' A "secure" cookie means the cookie can only be accessed over a HTTPS connection.
    ' If we try to create a secure cookie over a none HTTPS connection it will be 
    ' rejected by most browsers. So check the HTTPS protocol is ON before setting a
    ' cookie as secure. This check is particularly useful when running on a localhost,
    ' most localhosts don't use HTTPS, so trying to set a Secure cookie won't work. 

    if secure AND uCase(request.ServerVariables("HTTPS")) = "ON" then
        cookie_header = cookie_header & "Secure; "
    end if          

    ' Add the header and remove the trailing ";"

    response.AddHeader "Set-Cookie",left(cookie_header,len(cookie_header)-2)

end sub


' *********************************************************************************************************
' Delete a cookie   
' *********************************************************************************************************

sub delete_cookie(cookie_name)

    ' There is no header for deleting cookies. Instead, cookies are modified to a date that
    ' has already expired and the users browser will delete the expired cookie for us.

    response.AddHeader "Set-Cookie",cookie_name & "=; " &_
    "expires=Thu, 01-Jan-1970 00:00:00 UTC; path=/"

end sub


' *********************************************************************************************************
' When the LCID is set to 1033 (us) vbLongTime formats in 12hr with AM / PM, this is invalid for a cookie
' timestamp. Instead, we use vbShortTime which returns the hour and minute as 24hr with any LCID, then use
' vbLongTime to get the seconds, and join the two together.
' *********************************************************************************************************

function timeFromDate(ByVal theDate)
    Dim ts_secs : ts_secs = split(FormatDateTime(theDate,vbLongTime),":")       
    if uBound(ts_secs) = 2 then
        timeFromDate = FormatDateTime(theDate,vbShortTime) & ":" & left(ts_secs(2),2)
    else
        timeFromDate = "00:00:00"   
    end if
end function


' *********************************************************************************************************
' WeekDayName and MonthName will return a value in the native language based on the LCID.
' These are custom functions used to return the weekday and month names in english, 
' reguardless of the LCID
' *********************************************************************************************************

function weekday_name(weekday_val, shorten)

    select case weekday_val

        case 1
            if shorten then weekday_name = "Sun" else weekday_name = "Sunday"
        case 2
            if shorten then weekday_name = "Mon" else weekday_name = "Monday"
        case 3
            if shorten then weekday_name = "Tue" else weekday_name = "Tuesday"
        case 4
            if shorten then weekday_name = "Wed" else weekday_name = "Wednesday"
        case 5
            if shorten then weekday_name = "Thu" else weekday_name = "Thursday"
        case 6
            if shorten then weekday_name = "Fri" else weekday_name = "Friday"
        case 7
            if shorten then weekday_name = "Sat" else weekday_name = "Saturday"

    end select

end function

function month_name(month_val, shorten)

    select case month_val

        case 1
            if shorten then month_name = "Jan" else month_name = "January"
        case 2
            if shorten then month_name = "Feb" else month_name = "February"
        case 3
            if shorten then month_name = "Mar" else month_name = "March"
        case 4
            if shorten then month_name = "Apr" else month_name = "April"
        case 5
            month_name = "May"
        case 6
            if shorten then month_name = "Jun" else month_name = "June"
        case 7
            if shorten then month_name = "Jul" else month_name = "July"
        case 8
            if shorten then month_name = "Aug" else month_name = "August"
        case 9
            if shorten then month_name = "Sep" else month_name = "September"
        case 10
            if shorten then month_name = "Oct" else month_name = "October"
        case 11
            if shorten then month_name = "Nov" else month_name = "November"
        case 12
            if shorten then month_name = "Dec" else month_name = "December"

    end select

end function


' *********************************************************************************************************
' Prefix a 1 digit number with a 0. Used in date formatting
' *********************************************************************************************************

function zeroPad(theNum)
    if len(theNum) = 1 then
        zeroPad = cStr("0" & theNum)
    else
        zeroPad = theNum
    end if
end function

Examples:

' **************************************************************************************************************
' set_cookie(COOKIE NAME, COOKIE VALUE, COOKIE PATH, HTTPONLY (BOOLEAN), SECURE (BOOLEAN), EXPIRY DATE / LENGTH)
' **************************************************************************************************************

' Expire on a specific date: 

call set_cookie("cookie_name1","cookie value","/",true,true,"15 Jan 2019 12:12:12")
call set_cookie("cookie_name2","cookie value","/",true,true,"15 January 2019 12:12:12")

call set_cookie("cookie_name3","cookie value","/",true,true,"Jan 15 2019 12:12:12")
call set_cookie("cookie_name4","cookie value","/",true,true,"January 15 2019 12:12:12")

call set_cookie("cookie_name5","cookie value","/",true,true,"Jan 15 2019")
call set_cookie("cookie_name6","cookie value","/",true,true,"January 15 2019")

' Expire when the session ends (a sesson cookie):

call set_cookie("cookie_name7","cookie value","/",true,true,null)

' Specify an expiry length:

call set_cookie("cookie_name8","cookie value","/",true,true,"20 minutes")
call set_cookie("cookie_name9","cookie value","/",true,true,"1 hour")
call set_cookie("cookie_name10","cookie value","/",true,true,"10 days")
call set_cookie("cookie_name11","cookie value","/",true,true,"3 weeks")
call set_cookie("cookie_name12","cookie value","/",true,true,"1 year")

' Delete a cookie:

call delete_cookie("cookie_name")

' This would also work for deleting a cookie:

call set_cookie("cookie_name","","/",false,false,"-1 year")

This page has lots of information that's relevant to your problem.

.NET 1.1 doesn't add HttpOnly because it hadn't been invented yet.

If your app will run under .NET 2.0 (I moved several Classic ASP sites to 2.0 virtually unchanged) HttpOnly is set by default.

If I read him right, you can get the Session cookie and append ; HttpOnly; to it. He gives a java example:

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");

Lastly, he suggests:

if code changes are infeasible, web application firewalls can be used to add HttpOnly to session cookies

Edited to add: to those who think migrating to .NET (which can accommodate most Classic ASP code unchanged) is too drastic a change to get such a small feature, my experience of ISAPI filters is that they, too, can be a major pain, and in some common situations (shared hosting) you can't use them at all.

If you have IIS7 + you need to make sure the URL Rewrite module is installed. You can install it with the Web Platform Installer. The Web Platform Installer can be found in the features view for your website. You need to run IIS Manager as administrator.

Click on the Web Platform Installer in the features view for your website:

Maker sure the URL Rewrite Server Product is installed. If it isn't, then install it.

With the URL Rewrite Server Product installed, you can use the URL Rewrite Feature on your website to add a rule to add HttpOnly for your Session ID cookies.

You should see, if it doesn't already exist, a web.config file created for your ASP site. it will have the following contents:

If you use Firebug in Firefox to inspect your cookies, you should now see the HttpOnly flag set: