Does anyone know exactly how to set HTTPONLY on classic ASP session cookies?
This is the final thing that's been flagged in a vulnerability scan and needs fixing ASAP, so any help is appreciated.
~~~A LITTLE MORE INFORMATION ON MY PROBLEM~~~
Can anyone please help me with this?
I need to know how to set HTTPONLY on the ASPSESSION cookie created by default from ASP & IIS.
This is the cookie automatically created by the server for all asp pages.
If needed i can set HTTPONLY on all cookie across the site.
Any help on how to do this would be massively appreciated.
Thanks
Thanks Elliott
Set HttpOnly cookie in PHPini_set("session. cookie_httponly", True); This is the most common way to set cookies in PHP, empty variables will hold their default value.
Use the HttpOnly attribute to prevent access to cookie values via JavaScript. Cookies that are used for sensitive information (such as indicating authentication) should have a short lifetime, with the SameSite attribute set to Strict or Lax . (See SameSite attribute, above.)
Like in the previous example, HttpOnly can also be set from C# code: Response. Cookies. Add( new HttpCookie("key", "value") { HttpOnly = true, Secure = true, });
Microsoft includes an example using an ISAPI filter to all outbound cookies: http://msdn.microsoft.com/en-us/library/ms972826
or URL rewriting could be used http://forums.iis.net/p/1168473/1946312.aspx
<rewrite> <outboundRules> <rule name="Add HttpOnly" preCondition="No HttpOnly"> <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" /> <action type="Rewrite" value="{R:0}; HttpOnly" /> <conditions> </conditions> </rule> <preConditions> <preCondition name="No HttpOnly"> <add input="{RESPONSE_Set_Cookie}" pattern="." /> <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" /> </preCondition> </preConditions> </outboundRules> </rewrite>
If you have IIS7 + you need to make sure the URL Rewrite module is installed. You can install it with the Web Platform Installer. The Web Platform Installer can be found in the features view for your website. You need to run IIS Manager as administrator.
Click on the Web Platform Installer in the features view for your website:
Maker sure the URL Rewrite Server Product is installed. If it isn't, then install it.
With the URL Rewrite Server Product installed, you can use the URL Rewrite Feature on your website to add a rule to add HttpOnly for your Session ID cookies.
You should see, if it doesn't already exist, a web.config file created for your ASP site. it will have the following contents:
If you use Firebug in Firefox to inspect your cookies, you should now see the HttpOnly flag set:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With