IIS 5 & IIS 6
Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEEDED...
Re: Setting HTTPONLY for CLASSIC ASP Session Cookie - URGENT HELP NEE...
Feb 26, 2013 10:08 AM|bclark-rdc|LINK
I'd like to endorse this URL Rewrite method:
If you are using IIS7 or IIS7.5 and install the URL Rewriting add-in then you can do this.
I have a number of Classic ASP apps that I run on IIS 7.5 and this rule worked for me. Two things that I did differently are:
I changed the match serverVariable pattern to be "ASPSESSIONID*" rather than ".*". That just happens to be what all of my session ID cookies start with, so it worked well for me. Your apps may be different. This is what this looks like in my rule:
<match serverVariable="RESPONSE_Set_Cookie" pattern="ASPSESSIONID*" negate="false" />
I changed the patternSyntax to "Wildcard" because the default is RegEx and Wildcard is needed to make the above pattern work properly. This is what that looks like in my rule:
<rule name="Add HttpOnly" preCondition="No HttpOnly" patternSyntax="Wildcard">
Best of luck!