5
<script type="text/javascript" language="javascript">
function setCookie()
{
    var path = '/', host = document.location.hostname;
    document.cookie = 'random=' + Math.floor(Math.random()*11) + '; path=' + path + ( host ? '; domain=' + document.location.hostname : "" ) ;
}
function readCookie()
{
    alert(document.cookie)
}
</script>

My life would be a lot simpler if I had an easy way to change aspsessionid**** to just sessionid in my logs. Is there a quick way to do this ... in Windows? There must be a script, batchfile, command or something that I can run as a scheduled daily task on new logfiles. At times like this I wish I could program. Suggestions welcome please!

Frank
  • 1,056
  • 3
  • 17
  • 38
Gürkan Pala
  • 233
  • 3
  • 11
  • what ???????? do you mean the "ASP.NET_SessionId." cookie ? – Royi Namir Nov 16 '11 at 15:00
  • @frank is not so clear (for me) what you actually search here. You need to change this cookie name on your logs with a search/release ? or do you won to change this on asp ? - or do you won to change this on asp.net Please be more clear – Aristos Jun 18 '12 at 11:26
  • Bounty started on this question but the description attached to the bounty varies quite a bit from the actual question. – AnthonyWJones Jun 18 '12 at 21:23
  • If I am not wrong you want to secure your aspsession in cookie, you should check http://stackoverflow.com/questions/953361/how-to-secure-classic-asp-aspsessionid-cookie – Ravi Vanapalli Jun 19 '12 at 12:30

4 Answers4

5

There is no option (known or documented - available to the public) to change the name of aspsessionids (classic asp).

You can disable the session (ASP -> Session Properties -> Enable Session State: false) from IIS or by using the @ENABLESESSIONSTATE directive and move on with your own cookies served from asp (and not by JavaScript). But this is OK only if you don't need the session object in your application.

A better approach is to change these "strings" in log files using Regex (asp version is already presented by Anthony W Jones) or by .net (minimal simplified C# sample):

Regex rx = new Regex("ASPSESSIONID[A-Z]+=");

string log = rx.Replace(File.ReadAllText("u_ex120618.log"), "ASPSESSIONID=");
Console.WriteLine(log);

More about aspx and IIS

One option is to use a handler to remove headers.

public class RemoveHttpHeadersModule : IHttpModule
{
    public RemoveHttpHeadersModule()
    {
    }

    public void Dispose()
    {
    }

    public void Init(HttpApplication context)
    {
        if (context != null)
                context.PreSendRequestHeaders += this.OnPreSendRequestHeaders;
    }

    [SuppressMessage("Microsoft.Portability", "CA1903:UseOnlyApiFromTargetedFramework", MessageId = "System.Web.HttpResponse.#get_Headers()")]
    private void OnPreSendRequestHeaders(object sender, EventArgs e)
    {
        try
        {
            HttpContext.Current.Response.Headers.Remove("ETag");
            HttpContext.Current.Response.Headers.Remove("Server");
            HttpContext.Current.Response.Headers.Add("Server", "my server");
        }
        catch (HttpException)
        {
            throw;
        }
    }
}

Another option is to control everything in global.asax (code or compiled library) - covering the case you don't have access to IIS manager.

Remove (and/or add) headers:

protected internal void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
    HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
    HttpContext.Current.Response.Headers.Remove("X-Powered-By");
    HttpContext.Current.Response.Headers.Remove("ETag");
    HttpContext.Current.Response.Headers.Remove("Server");
}

Handle errors

protected internal void Application_Error(object sender, EventArgs e)
{
    // get the error code            
    int ec = ((HttpException)HttpContext.Current.Error).GetHttpCode();
    // get the request path
    // string req = HttpContext.Current.Request.Path;
    // *** I suggest you to log the error before moving on
    // clear the error to avoid IIS actions
    HttpContext.Current.Server.ClearError();
    if (ec == 404)
    {
        // do what ever you want
    }
    // ... add other error codes handling;
}

The next step is to hide aspx.

Assume that we want our .aspx pages presented as .html This is answered here: What is the proper way to map .html to the ASP.NET pipeline in IIS7

Just take care to select the correct framework version. If you don't have access to IIS manager, then modify your web.config (presenting only what is needed for this task):

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <handlers>
            <add name="htmlpipe" path="*.html" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" preCondition="classicMode,runtimeVersionv4.0,bitness64" />
        </handlers>
    </system.webServer>
</configuration>

The above setting may differ to your pc, server etc. Having a testing environment with the same basic attributes (framework version, 32/64bit), make the change in your IIS and then check the generated entry in your web.config.

Allow me to make a joke. "Do you like this product?"

Thank you Frank, you made be plug some old disks and find things that were forgotten. I'm sorry for not having suggestions for classic ASP.

PS. Don't forget the answer by HackedByChinese.

Community
  • 1
  • 1
  • How do the guys at Port80 software do it? Product is called ServerMask – Frank Jun 18 '12 at 21:51
  • They have access to a source that we don't, or they have their own custom session management. –  Jun 18 '12 at 21:53
  • If you were to write your own .dll with identical session functions. But used the same namespaces, calls etc, would that work? If you write your own component for sessions or querystring, or whatever, will they fail since those names are already in use ? – Frank Jun 18 '12 at 21:56
  • If you write your own library for session management, there is no reason to use the same namespace. –  Jun 18 '12 at 22:04
  • Unless if you write the identical library and want to use it as a replacement of asp sessions without any changes to existing code. – Frank Jun 18 '12 at 22:11
  • Or you/they have access to sources that I/we don't. –  Jun 18 '12 at 22:14
  • See this answer (https://stackoverflow.com/a/53923544/1049710) for a way to change the name of the ASPSESSIONID cookie for asp classic. – Jonas Äppelgran Mar 02 '20 at 13:17
1

If you are using .NET 2.0 or greater, you can change the cookie name via web.config.

<configuration>
   <system.web>
      <sessionState cookieName="sessionid" />
   </system.web>
</configuration>
moribvndvs
  • 42,191
  • 11
  • 135
  • 149
  • @Frank Sorry. The question is tagged as ASP.NET – moribvndvs Jun 18 '12 at 08:57
  • No worries. Looking for a complete IIS solution. Web.config allows you to remove the IIS headers, but MSFT has not made it easy to mask or rename ASPSESSIONID, unless if I am missing something. – Frank Jun 18 '12 at 09:04
0

The answer to the bounty description is: "not really".

The only thing you can do is stop using session object altogether and disable sessions. You would therefore you need to create your own session management (storing data in a DB for example) and track your own sessions with a cookie.

The following is an answer to the original (now quite old question).

Here is a VBScript function which will replace the ASPSessionIDxxxxxxxx= in a log file (I'm assuming the standard IIS logfiles with cookie logging enabled).

Sub ReplaceASPSessionIDInLog(path)

    Dim fso :  Set fso = CreateObject("Scripting.FileSystemObject")

    Dim stream : Set stream = fso.OpenTextFile(path)
    Dim input: input = stream.ReadAll()
    stream.close()

    Dim rgx : Set rgx = new RegExp
    rgx.Pattern = "ASPSESSIONID.+(?=\=)"
    rgx.Global = True
    rgx.IgnoreCase = True

    Dim output : output = rgx.Replace(input, "SESSIONID")

    Set stream = fso.OpenTextFile(path, 2)
    stream.Write output
    stream.close()

End Sub
AnthonyWJones
  • 187,081
  • 35
  • 232
  • 306
  • Thanks Anthony. I am trying to get the ASPSESSION to change the physical cookie name that is sent to the client. Two reasons: 1 to make it short, 2nd so that visitors do not know its an ASPSESSION. Security through obscurity . – Frank Jun 18 '12 at 21:23
  • @Frank: yeah I just noticed the bounty description not actually matching the original question. Sadly the short answer is simply: no. Are you also changing the file extension that is mapped to the ASP processor? If not the .asp extension is a bit of give away to. – AnthonyWJones Jun 18 '12 at 21:30
0

This code works if you want to get rid of all session cookies except the last one created:

Sub DeleteOldSession(logincookiename)

    Dim strSessionCookie, arrSessionCookie, i, a
    i = 0
    a = 1

    strSessionCookie = Request.ServerVariables("HTTP_COOKIE")

    if strSessionCookie <> "" then

    Dim intCookieValueStart, intCookieValueEnd, intCookieValueLength, strSessionCookieName, strSessionCookieValue

        arrSessionCookie = Split(strSessionCookie,";")

        if Ubound(arrSessionCookie) > 0 then

            if InStr(strSessionCookie,logincookiename) = 0 then a = 0

            if Ubound(arrSessionCookie) > a AND InStr(arrSessionCookie(Ubound(arrSessionCookie)),"NULL") = 0 then

                For i = 0 to Ubound(arrSessionCookie)
                    if i >= a AND InStr(arrSessionCookie(i),"ASPSESSIONID") then
                        intCookieValueStart = InStr(arrSessionCookie(i),"=")
                        intCookieValueEnd = Len(arrSessionCookie(i))
                        intCookieValueLength = intCookieValueEnd - intCookieValueStart
                        strSessionCookieName = Mid(arrSessionCookie(i),1,intCookieValueStart-1)
                        strSessionCookieValue = Mid(arrSessionCookie(i),intCookieValueStart+1,intCookieValueLength)
                        response.write("<script type=""text/javascript"">")
                        response.write("setCookie('" & strSessionCookieName & "','NULL',0)")
                        response.write("</script>")
                        'if lngUser = 1 then response.write("<p class=""alert"">" & strSessionCookieName & "</p>")
                    end if
                Next

            end if

        end if

    end if

end sub
neitakk
  • 1