I'm looking to implement httpOnly in my legacy ASP classic sites. Anyone knows how to do it?
If you run your Classic ASP web pages on IIS 7/7.5, then you can use the IIS URL Rewrite module to write a rule to make your cookies HTTPOnly.
Paste the following into the section of your web.config:
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
See here for the details: http://forums.iis.net/t/1168473.aspx/1/10
For background, HTTPOnly cookies are required for PCI compliance reasons. The PCI standards folks (for credit card security) make you have HTTPOnly on your sessionID cookies at the very least in order to help prevent XSS attacks.
Also, at the current time (2-11-2013), all major browser support the HTTPOnly restriction on cookies. This includes current versions of IE, Firefox, Chrome and Safari.
See here for more info on how this works and support by various browser versions: https://www.owasp.org/index.php/HTTPOnly
Response.AddHeader "Set-Cookie", "mycookie=yo; HttpOnly"
Other options like expires
, path
and secure
can be also added in this way. I don't know of any magical way to change your whole cookies collection, but I could be wrong about that.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With