Custom 404 not setting HTTPONLY on cookies using Classic ASP and IIS 7

Question

I am having an issue with getting IIS7 to make all of my session cookies HTTPONLY when using a custom 404 page.

This is my webconfig:

<rewrite>
    <outboundRules>
        <rule name="Add HttpOnly" preCondition="No HttpOnly">
            <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
            <action type="Rewrite" value="{R:0}; HttpOnly" />
            <conditions>
            </conditions>
        </rule>
        <preConditions>
            <preCondition name="No HttpOnly">
                <add input="{RESPONSE_Set_Cookie}" pattern="." />
                <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
            </preCondition>
        </preConditions>
    </outboundRules>
</rewrite>
<httpErrors>
    <remove statusCode="404" subStatusCode="-1" />
    <error statusCode="404" prefixLanguageFilePath="" path="/404.asp" responseMode="ExecuteURL" />
</httpErrors>

This makes all of my cookies HTTPONLY except when there is a 404 response. The 404 page returns a session cookie without HTTPONLY.

Any suggestions?

web.config has absolutely nothing to do with classic asp. furthermore you cannot set HTTPONLY for classic asp session cookies — ulluoink, Feb 13 '14 at 10:54
I am using IIS 7 so the website configuration is stored in the web.config, which is true even for my Classic ASP site. You are correct in that I can't instruct ASP itself to send cookies as HTTPONLY and that is why I am appending it through URL Rewrite. — rjprince11, Feb 13 '14 at 13:54

Custom 404 not setting HTTPONLY on cookies using Classic ASP and IIS 7

0 Answers0