Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Classic ASP: How to check if ASPSESSIONID* cookie has been marked as secure?

I am trying to mark the ASP session ID cookie as HttpOnly but can't seem to find a way to tell if it is working. The environment I am trying this in is as follows: OS: Windows Server 2003 IIS: 6 ASP Version: ASP 3 (Classic ASP)

In order to mark the cookie as http only, I followed MS KB

As per our architect's suggestion, to test whether this works, a javascript document.cookie should not be able to read the ASPSESSIONID* cookie. My issue is that javascript:alert(document.cookie) still echoes the ASPSESSIONID* cookie, albeit it appears to be encrypted(?)

I also tried to do this via Response.AddHeader "Set-Cookie" but can't determine what value to give for this header to mark all the cookies OR AT LEAST the ASP Session ID cookie as HttpOnly. Help!!!

like image 625
Sudhanshu Mishra Avatar asked Dec 29 '22 04:12

Sudhanshu Mishra


1 Answers

Just came across this issue because of a "new" PCI compliance item. It's a bit clumsy but this seems to work:

<%
Dim AspSessionCookie
AspSessionCookie = Request.ServerVariables("HTTP_COOKIE")

If len(AspSessionCookie) > 0 Then
    AspSessionCookie = "ASPSESSIONID" & Split(AspSessionCookie,"ASPSESSIONID")(1)
    If  InStr(1,AspSessionCookie,";") then
        AspSessionCookie = Split(AspSessionCookie,";")(0)        
    End If

    Response.AddHeader "Set-Cookie", AspSessionCookie & ";HttpOnly"
Else 
    Response.redirect(Request.ServerVariables("URL"))
End If
%>
like image 188
Stephen Avatar answered Jan 13 '23 10:01

Stephen