How exactly do you configure httpOnly Cookies in ASP Classic?

StackOverflow https://stackoverflow.com/questions/55296

  •  09-06-2019
  •  | 
  •  

Question

I'm looking to implement httpOnly in my legacy ASP classic sites. Anyone knows how to do it?

Was it helpful?

Solution 

Response.AddHeader "Set-Cookie", "mycookie=yo; HttpOnly"

Other options like expires, path and secure can be also added in this way. I don't know of any magical way to change your whole cookies collection, but I could be wrong about that.

OTHER TIPS

If you run your Classic ASP web pages on IIS 7/7.5, then you can use the IIS URL Rewrite module to write a rule to make your cookies HTTPOnly.

Paste the following into the section of your web.config:

<rewrite>
    <outboundRules>
        <rule name="Add HttpOnly" preCondition="No HttpOnly">
            <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
            <action type="Rewrite" value="{R:0}; HttpOnly" />
            <conditions>
            </conditions>
        </rule>
        <preConditions>
            <preCondition name="No HttpOnly">
                <add input="{RESPONSE_Set_Cookie}" pattern="." />
                <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
            </preCondition>
        </preConditions>
    </outboundRules>
</rewrite>

See here for the details: http://forums.iis.net/t/1168473.aspx/1/10

For background, HTTPOnly cookies are required for PCI compliance reasons. The PCI standards folks (for credit card security) make you have HTTPOnly on your sessionID cookies at the very least in order to help prevent XSS attacks.

Also, at the current time (2-11-2013), all major browser support the HTTPOnly restriction on cookies. This includes current versions of IE, Firefox, Chrome and Safari.

See here for more info on how this works and support by various browser versions: https://www.owasp.org/index.php/HTTPOnly

You need to append ";HttpOnly" to the Response cookies collection.

Response.AddHeader "Set-Cookie", ""&CStr(Request.ServerVariables("HTTP_COOKIE"))&";path=/;HttpOnly"&""

HttpOnly does very little to improve the security of web applications. For one thing, it only works in IE (Firefox "supports" it, but still discloses cookies to Javascript in some situations). For another thing, it only prevents a "drive-by" attack against your application; it does nothing to keep a cross-site scripting attack from resetting passwords, changing email addresses, or placing orders.

Should you use it? Sure. It's not going to hurt you. But there are 10 things you should be sure you're doing before you start messing with HttpOnly.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top