4

I am trying to mark the ASP session ID cookie as HttpOnly but can't seem to find a way to tell if it is working. The environment I am trying this in is as follows: OS: Windows Server 2003 IIS: 6 ASP Version: ASP 3 (Classic ASP)

In order to mark the cookie as http only, I followed MS KB

As per our architect's suggestion, to test whether this works, a javascript document.cookie should not be able to read the ASPSESSIONID* cookie. My issue is that javascript:alert(document.cookie) still echoes the ASPSESSIONID* cookie, albeit it appears to be encrypted(?)

I also tried to do this via Response.AddHeader "Set-Cookie" but can't determine what value to give for this header to mark all the cookies OR AT LEAST the ASP Session ID cookie as HttpOnly. Help!!!

Sudhanshu Mishra
  • 6,523
  • 2
  • 59
  • 76
  • The title and the question itself do not ask the same thing. The title is about the `Secure` flag, and the question is about the `HttpOnly` flag. They do not serve the same purpose. Can you clear the confusion please? – Frédéric Jan 07 '19 at 09:24

3 Answers3

5

Just came across this issue because of a "new" PCI compliance item. It's a bit clumsy but this seems to work:

<%
Dim AspSessionCookie
AspSessionCookie = Request.ServerVariables("HTTP_COOKIE")

If len(AspSessionCookie) > 0 Then
    AspSessionCookie = "ASPSESSIONID" & Split(AspSessionCookie,"ASPSESSIONID")(1)
    If  InStr(1,AspSessionCookie,";") then
        AspSessionCookie = Split(AspSessionCookie,";")(0)        
    End If

    Response.AddHeader "Set-Cookie", AspSessionCookie & ";HttpOnly"
Else 
    Response.redirect(Request.ServerVariables("URL"))
End If
%>
Frédéric
  • 9,364
  • 3
  • 62
  • 112
Stephen
  • 51
  • 1
  • 2
  • Looks to be worth a shot. Have you tried viewing the response in fiddler? – Sudhanshu Mishra Jan 10 '13 at 05:07
  • Here's how to do it using web.config: https://stackoverflow.com/q/36045022/901156. Works great unless you have a 404 error in effect. Still trying to figure that one out... – Matt Borja Mar 16 '16 at 19:30
  • 1
    This answer is a mitigation at best. This solution lets the session cookie be set unsecured at first, then on the next client request, it patches it for securing it. @rdev5 solution in his linked question is better. – Frédéric Jan 04 '19 at 14:21
3

You seem to be confused between SECURE and HTTPONLY These are different. The MS KB article you refer to is for SECURE.

Setting a cookie SECURE will stop IIS/Browser sending the ASP Session ID over HTTP.

Setting a cookie HTTPONLY will stop script (javascript) from accessing the value in most browsers.

There is a very GOOD reason to set HTTPONLY on a sessionID cookie. It help prevent theft of the users sessionID cookie, which could lead to session hijacking. That is why major browsers have implemented it.

Steve Wombat
  • 31
  • 2
  • A bit late, but I was very clearly seeking a way to mark the classic ASP session Id as an HTTPONLY. Please re-read my question. Anyways, as it turns out, there isn't a way to do this in classic ASP – Sudhanshu Mishra Aug 31 '11 at 10:50
  • Realise it was probably a bit late for you, I added the comment for anyone else who stumbled across misleading responses – Steve Wombat Oct 11 '11 at 23:30
  • @dotnetguy, see this related [question](https://stackoverflow.com/q/953361/1178314), there is a way to do this with the UrlRewrite IIS extension, explained in [my answer](https://stackoverflow.com/a/54076153/1178314). – Frédéric Jan 07 '19 at 14:26
2

I don't think your architect is correct regarding accessing the cookie in javascript.

There is no reason to stop javascript running in your page from accessing the cookie any more than javascript accessing the rest of your data in the HTML.

The purpose of adding the secure qualifier to a cookie is to prevent it from being sent in an unsecure request.

Oridinarily cookies set when the client is connected using https will still be sent when requests are made to the same server using plain http. The marking a cookie with the secure qualifier when its Set indicates to the client that it should only be sent in subsequent requests if those requests are using https.

Hence to test your setting get yourself a copy of fiddler, with that running hit the server over https then in the same browser session hit the same location with just http. Fiddler should show the second request going to the server and there should not be an ASPSESSION cookie present.

AnthonyWJones
  • 187,081
  • 35
  • 232
  • 306
  • 1
    The question was not about the `Secure` flag but about the `HttpOnly` flag, which is meant to forbid JavaScript code to see the cookie. So his architect is correct in the way of testing this, and this answer, thought accepted, is wrong. (Granted, the confusion comes from the title.) – Frédéric Jan 04 '19 at 14:22