Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!! LockedRSS

22 replies

Last post Apr 02, 2016 01:08 PM by Ken Schaefer

  • Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Jun 07, 2010 06:00 PM|Shafii|LINK

    Hello all,

    I'm not really sure if this should fall under the IIS.net forum, but i had a similar issue where i needed to update the Metabase.xml so it might be a similar fix.

    Basically, this is the final thing that's been flagged in a vulnerability scan and needs fixing ASAP, so any help is hugely appreciated.

    I need to know how to set HTTPONLY on the ASPSESSION cookie created by default from ASP & IIS. This is the cookie is automatically created by the server for all asp pages. The issue i had before was to do with setting the cookie as secure because this is running through https.

    If needed i can set HTTPONLY on all cookie across the site.

    Any help on how to do this would be massively appreciated.

    Thanks a lot,
    Elliott

    HTTPONLY for CLASSIC ASP Session Cookie

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Jun 09, 2010 11:21 PM|J_P|LINK

     It took me two minutes to find this with google

     

    http://stackoverflow.com/questions/55296/how-exactly-do-you-configure-httponly-cookies-in-asp-classic

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Jun 10, 2010 04:34 AM|Shafii|LINK

    Yes, this was posted by me. However the response it didn't help as we're not setting the cookie and have no chance in the code to apply the HTTPONLY attribute. It's created automatically by IIS / ASP so needs to be set by default somewhere. But i don't know where.
  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Dec 05, 2010 10:00 AM|Jeremy Lloyd|LINK

    If you are using IIS7 or IIS7.5 and install the URL Rewriting add-in then you can do this. You can create a rewriting rule that adds "HttpOnly" to any out going "Set-Cookie" headers. Paste the following into the <system.webServer> section of your web.config. I then used Fiddler to prove the output.

     Regards, Jeremy

            <rewrite>
                <outboundRules>
                    <rule name="Add HttpOnly" preCondition="No HttpOnly">
                        <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
                        <action type="Rewrite" value="{R:0}; HttpOnly" />
                        <conditions>
                        </conditions>
                    </rule>
                    <preConditions>
                        <preCondition name="No HttpOnly">
                            <add input="{RESPONSE_Set_Cookie}" pattern="." />
                            <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
                        </preCondition>
                    </preConditions>
                </outboundRules>
            </rewrite>

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Dec 05, 2010 12:59 PM|J_P|LINK

     you are responding to a  post in an IIS 5,6 forum for classic ASP. 

    web.config is not applicable.

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Dec 05, 2010 01:06 PM|Jeremy Lloyd|LINK

    True, but:

    1. the question was also about Clasic ASP which also runs on IIS7 and the problem applies equally on IIS7

    2. There are URL Rewriting products for IIS6 too, and URL rewriting tools as a solution had not been suggested.

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Jan 10, 2012 07:23 PM|dushmantha|LINK

     Hello,

    Pretty sure you have sorted this classic ASPSESSION cookie vulnerability issue. I am in a similar kind of situation and tried different things to make cookies secure, httponly but so far succeeded making other cookies Secure only. Could you let me know if you sorted this please.

    Thanking

    Dush

     

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Jan 11, 2012 07:54 AM|Jeremy Lloyd|LINK

    Hi Dush

    Out of the box IIS does not have an option to set HttpOnly for the ASP Session cookie, or any application generated cookies either.

    For the ASP session cookie you have two options as solutions. If you are using IIS7+ then you can use the URL Rewriting add-in for IIS to add "; HttpOnly" to any Set-Cookie header leaving the web server that doesn't already have it on. This is the easist option.

    If you are using IIS6, then I couldn't find any third party ISAPI filters which would parse and alter the HTTP headers (only the URL). In this case, the only option is to hope your front facing firewall has content scanning and rewriting facilities. Ours does. It is an F5 unit with the ASM module installed.

    For application generated cookies you can replace reference to the Cookie collection that set cookies to use Response.AddHeader("Set-Cookie", xxx) instead. You have to be carefull of the encoding format, the "path" attribute and the "expires" attribute. Alternatively, you can use the same solutions as the ASP session cookie above.

    If you post an email address I can email you a web.config file which has the rewriting rules in it, and some sample code for setting the cookies with AddHeader making sure the syntax for the expires and path headers is right.

    Regards

    Jeremy

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Jan 11, 2012 08:13 AM|dushmantha|LINK

     Hi Jeremy,

    Kind of you and Thank you. I have mailed you my email address.

    Thanking

    Dush

     

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Feb 14, 2012 10:36 PM|wickytse|LINK

    Hi, I am using the IIS 6 + CLASSIC ASP. Is there anyway to make ASP session cookie to be httponly ? I have searched around and downloaded Httponly.dll ( http://www.tenuta.com.br/util/HTTPOnly.dll ) but it doesn't help. Thanks Wicky
  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Nov 06, 2012 05:55 PM|networkengineer49|LINK

     http://weblogs.asp.net/dotnetstories/archive/2009/10/24/five-common-mistakes-in-the-web-config-file.aspx

     I'm having this issue - reluctant to use url rewrite as webserver hosts many websites.

    This should mark all server session cookies to HTTPOnly?  

     

    Set this to True - Not working in my case -  server not setting  session cookies to HTTPOnly

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Dec 02, 2012 07:24 PM|mrburger|LINK

    Actually in this case it is.

    Just create a web.config in the root directory for your classic asp app with the rewrite xml in place and IIS 7/7.5 will pick up on it and apply the HttpOnly property to all your cookies

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Jan 08, 2013 11:38 AM|nspintenn|LINK

    Jeremy Lloyd

    If you post an email address I can email you a web.config file which has the rewriting rules in it, and some sample code for setting the cookies with AddHeader making sure the syntax for the expires and path headers is right.


    Jeremy, I have having this exact same problem for the URL Rewrite in classic ASP, even after trying the code above earlier in the thread.  Any possibility that you might be able to send me what you sent Dush in the thread?

    I would be very grateful.  I am about ready to pull my hair out.

    Thanks,
    John
    nspintenn@yahoo.com

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Feb 26, 2013 10:08 AM|bclark-rdc|LINK

    I'd like to endorse this URL Rewrite method:

    Jeremy Lloyd

    If you are using IIS7 or IIS7.5 and install the URL Rewriting add-in then you can do this.

    I have a number of Classic ASP apps that I run on IIS 7.5 and this rule worked for me. Two things that I did differently are:

    I changed the match serverVariable pattern to be "ASPSESSIONID*" rather than ".*". That just happens to be what all of my session ID cookies start with, so it worked well for me. Your apps may be different. This is what this looks like in my rule:

    <match serverVariable="RESPONSE_Set_Cookie" pattern="ASPSESSIONID*" negate="false" />

    I changed the patternSyntax to "Wildcard" because the default is RegEx and Wildcard is needed to make the above pattern work properly. This is what that looks like in my rule:

    <rule name="Add HttpOnly" preCondition="No HttpOnly" patternSyntax="Wildcard">

    Best of luck!

    Brian


  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Feb 26, 2013 10:12 AM|bclark-rdc|LINK

    networkengineer49

    I'm having this issue - reluctant to use url rewrite as webserver hosts many websites.

    URL Rewrite is designed so that its rules can be applied just to specific websites or to all websites. You can easily create a rule just for one website. In IIS Manager, just navigate to "Sites" and select the site you want to modify. Then open up the URL Rewrite configuration panel and add the rule. It will only apply to that site.

    Alternatively, you could put the configuration directly into the web.config for only that web app.

    Neither of these methods will cause URL Rewrite to affect any web sites other than the one you specifically configure it for.

    Good luck!

    Brian

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Oct 30, 2013 03:03 AM|tskol777|LINK

    Hello!

    I have a problem with URL rewrite module and the rule :

    <rewrite>
    <outboundRules>
    <rule name="Add HttpOnly" preCondition="No HttpOnly" patternSyntax="Wildcard">
    <match serverVariable="RESPONSE_Set_Cookie" pattern="ASPSESSIONID*" negate="false"/>
    <action type="Rewrite" value="{R:0}; HttpOnly"/>
    <conditions/>
    </rule>
    <preConditions>
    <preCondition name="No HttpOnly">
    <add input="{RESPONSE_Set_Cookie}" pattern="."/>
    <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true"/>
    </preCondition>
    </preConditions>
    </outboundRules>
    </rewrite>

    It's working, but from time to time web pages start to display strange symbols, see example below.

    It's not all time but occupationally. After IIS restart all working again for a short time and the problem appear again later.

    Could someone help me please?

    HTTPONLY for CLASSIC ASP Session Cookie

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Jun 16, 2014 05:17 AM|Disha31|LINK

    Jeremy Lloyd

    f you post an email address I can email you a web.config file which has the rewriting rules in it, and some sample code for setting the cookies with AddHeader making sure the syntax for the expires and path headers is right.

    Hi Jeremy,

     

    I am in a similar situation here with cookies to be set as httponly. I am working with Classic ASP and IIS 6.0 .

    It would be great if you could mail me the above.

     

    Regards,

    Disha

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Jun 24, 2014 01:40 PM|nagaozen|LINK

    ASP Xtreme Evolution offers an easy fix for this, just set the Cookie using XCookies singleton. Source code is available as free software: https://github.com/nagaozen/asp-xtreme-evolution/blob/master/lib/axe/base.asp 

    Setting a httponly just needs a:

    > XCookies.setItem "Classic ASP Framework", "ASP Xtreme Evolution", 3600, false, "/", false, true

    HTTPONLY for CLASSIC ASP Session Cookie asp HTTPOnly

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Nov 13, 2014 07:05 AM|Wanraplin|LINK

    Response.AddHeader "Set-Cookie", ""&CStr(Request.ServerVariables("HTTP_COOKIE"))&";path=/;HttpOnly"&""

    HTTPONLY for CLASSIC ASP Session Cookie

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Jan 08, 2016 07:11 AM|NileshGoje|LINK

    Hi Jeremy,

    I am using the IIS 6 + CLASSIC ASP and having similar issue. My email address is nilesh.goje@gmail.com . Can you please send me sample code for how to set HttpOnly for ASP Session cookie?

    Thanks in advance!

    Regards,

    Nilesh Goje

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Feb 24, 2016 06:06 AM|petemahoney|LINK

    NileshGoje - if you do end up getting your hands on this config and code from Disha or Jeremy, will you share it with me as well mahpete@gmail.com.  Thanks!

    Pete

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Mar 11, 2016 10:47 AM|Hulktheblaster|LINK

    Hi Jeremy,

    even i was facing the same problem but after i updated my web.config with your code above it started working, but when i am checking it in fiddler the cookie(ASPSESSIONID*) in login.asp response does not have HttpOnly attribute but all other page responses has that attribute.

    any help on this?

    Thanks in advance.

  • Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED PLEASE!!!

    Apr 02, 2016 01:08 PM|Ken Schaefer|LINK

    I am going to close this thread.

    For anyone use IIS7 or newer (where web.config applies) please post a new thread in the IIS7 ASP Classic forum.