Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Setting HTTPONLY for Classic Asp Session Cookie

Does anyone know exactly how to set HTTPONLY on classic ASP session cookies?

This is the final thing that's been flagged in a vulnerability scan and needs fixing ASAP, so any help is appreciated.

~~~A LITTLE MORE INFORMATION ON MY PROBLEM~~~

Can anyone please help me with this?

I need to know how to set HTTPONLY on the ASPSESSION cookie created by default from ASP & IIS.

This is the cookie automatically created by the server for all asp pages.

If needed i can set HTTPONLY on all cookie across the site.

Any help on how to do this would be massively appreciated.

Thanks

Thanks Elliott

like image 753
E.Shafii Avatar asked Jun 07 '10 15:06

E.Shafii


People also ask

How do I use HttpOnly attribute to session cookies?

Set HttpOnly cookie in PHPini_set("session. cookie_httponly", True); This is the most common way to set cookies in PHP, empty variables will hold their default value.

Should session cookies be HttpOnly?

Use the HttpOnly attribute to prevent access to cookie values via JavaScript. Cookies that are used for sensitive information (such as indicating authentication) should have a short lifetime, with the SameSite attribute set to Strict or Lax . (See SameSite attribute, above.)

How do you set the secure and HttpOnly flag for all cookies in C#?

Like in the previous example, HttpOnly can also be set from C# code: Response. Cookies. Add( new HttpCookie("key", "value") { HttpOnly = true, Secure = true, });


2 Answers

Microsoft includes an example using an ISAPI filter to all outbound cookies: http://msdn.microsoft.com/en-us/library/ms972826

or URL rewriting could be used http://forums.iis.net/p/1168473/1946312.aspx

<rewrite>         <outboundRules>             <rule name="Add HttpOnly" preCondition="No HttpOnly">                 <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />                 <action type="Rewrite" value="{R:0}; HttpOnly" />                 <conditions>                 </conditions>             </rule>             <preConditions>                 <preCondition name="No HttpOnly">                     <add input="{RESPONSE_Set_Cookie}" pattern="." />                     <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />                 </preCondition>             </preConditions>         </outboundRules>     </rewrite> 
like image 107
sep15ms Avatar answered Sep 20 '22 09:09

sep15ms


If you have IIS7 + you need to make sure the URL Rewrite module is installed. You can install it with the Web Platform Installer. The Web Platform Installer can be found in the features view for your website. You need to run IIS Manager as administrator.

Run IIS As Administratro

Click on the Web Platform Installer in the features view for your website:

Web Platform Installer

Maker sure the URL Rewrite Server Product is installed. If it isn't, then install it.

Url Rewrite Server Product

With the URL Rewrite Server Product installed, you can use the URL Rewrite Feature on your website to add a rule to add HttpOnly for your Session ID cookies.

URL Rewrite Feature

enter image description here

Add HttpOnly Outbound Rule

You should see, if it doesn't already exist, a web.config file created for your ASP site. it will have the following contents:

enter image description here

If you use Firebug in Firefox to inspect your cookies, you should now see the HttpOnly flag set:

enter image description here

like image 41
Jeremy Ray Brown Avatar answered Sep 23 '22 09:09

Jeremy Ray Brown