9

Is there a way to mark classic ASP ASPSESSIONID* cookies as secure? It appears that the ASP ISAPI handler adds that session id cookie after my page is done rendering so putting code at the end of my page to loop through the Response.Cookie collection and mark them as secure doesn't seem to touch the ASPSESSIONID* cookie. Any other way of doing this?

slolife
  • 19,520
  • 20
  • 78
  • 121

4 Answers4

9

The answer is no there isn't There isn't on the standard UI provided by IIS manager. However, you can enable secure cookies for the SessionID via the AspKeepSessionIDSecure Metabase value

AnthonyWJones
  • 187,081
  • 35
  • 232
  • 306
  • Since my site is expecting that all communication is via https, I'd like to know that the cookie won't be transmitted insecure. Pages 8-10 of the following document explain why the secure flag is needed: http://www.isecpartners.com/files/web-session-management.pdf – slolife Jun 05 '09 at 16:59
  • Assuming all traffic is over HTTPS then it won't be. There is a possiblity that it might be if the user removes the 's' from http and tries to talk to your site. But even if they do what is the harm in that if your site only uses Https? – AnthonyWJones Jun 05 '09 at 17:28
  • I completely agree with you that it is far fetched, but one of our clients, in reviewing our code, brought this up as an issue. Not a high priority issue, but something I wanted to investigate. Even though the server doesn't talk http, the browser doesn't know that and will send the cookie over http since the Secure bit is not set on the cookie. – slolife Jun 08 '09 at 16:08
  • BTW, this link: http://www.microsoft.com/technet/security/bulletin/MS00-080.mspx Makes me think it is possible or even supported. The article talks about IIS4 or 5, but I am running 5.1 and 6. Do you have documentation that supports your answer of "No, it is not possible"? – slolife Jun 08 '09 at 16:12
  • No, in fact I've just found some documentation that shows how it is possible ;). – AnthonyWJones Jun 09 '09 at 08:10
  • Reference for what @slolife's customer might have been worried about: https://resources.enablesecurity.com/resources/Surf%20Jacking.pdf. The short of it is that even with a site that is only accessible by HTTPS cookies that aren't secure can be stolen by a man-in-the-middle. – Tyler Szabo Dec 29 '11 at 21:08
  • @Tyler: Yes that is exactly the sort of attack that enabling `AspKeepSessionIDSecure` is designed to prevent. – AnthonyWJones Dec 29 '11 at 22:03
  • Whoops, misread the comment context. Well, the link's good anyway ;) – Tyler Szabo Jan 03 '12 at 21:44
3

As found here, an UrlRewrite rule can handle this.

The rules below handle it for adding both HttpOnly and Secure if they are missing on the ASPSESSIONID cookie. (For other cookies, normally they are emitted by the site ASP code: better handle that directly in the code responsible for them.)

<system.webServer>
  <rewrite>
    <outboundRules>
      <rule name="Add HttpOnly" preCondition="No HttpOnly">
        <match serverVariable="RESPONSE_Set_Cookie" pattern="\s*ASPSESSIONID.*" />
        <action type="Rewrite" value="{R:0}; HttpOnly" />
      </rule>
      <rule name="Add Secure" preCondition="No Secure">
        <match serverVariable="RESPONSE_Set_Cookie" pattern="\s*ASPSESSIONID.*" />
        <action type="Rewrite" value="{R:0}; Secure" />
        <conditions>
          <add input="{HTTP_HOST}" pattern="localhost" negate="true" />
        </conditions>
      </rule>
      <preConditions>
        <preCondition name="No HttpOnly">
          <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
        </preCondition>
        <preCondition name="No Secure" logicalGrouping="MatchAll">
          <add input="{RESPONSE_Set_Cookie}" pattern="; Secure" negate="true" />
        </preCondition>
      </preConditions>
    </outboundRules>
  </rewrite>
</system.webServer>

If UrlRewrite is not installed in the IIS Server, this will crash the site.

Note that the Secure rule should not be applied if the site is legitimately accessed over http instead of https, thus the condition for not emitting it when browsing it locally. If Secure is emitted for a site accessed over http from the client end, the client will not send the cookie back to the server.

(I avoid testing the inbound protocol, because the sites I work on are not supposed to be accessed on http anyway, excepted eventually directly from their hosting server or load-balancer.)

I have previously tried using asp/session/keepSessionIdSecure, but it has no effect (at least for a site behind a load-balancer terminating the https and accessing the site server over http). This setting is the modern version (IIS 7+) of the AspKeepSessionIDSecure Metabase value pointed by AnthonyWJones answer.

Frédéric
  • 9,364
  • 3
  • 62
  • 112
3

I run this command:

CSCRIPT C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/1/AspKeepSessionIDSecure 1

More information here: http://blogs.msdn.com/b/rahulso/archive/2007/06/19/cookies-case-study-with-ssl-and-frames-classic-asp.aspx

Julio Garcia
  • 31
  • 2
  • 1
    Handy script. Note have run this once for each desired website by ... set w3svc/[site identifier here]/AspKeepSessionIdSecure 1 – Jens Frandsen Feb 05 '14 at 21:17
1

[Edit: You can ignore the following. I just realized that you were talking about ASPSESSIONID.}

There is built-in support for secure cookies.

See http://msdn.microsoft.com/en-us/library/ms524757.aspx

Example (for ASP.Net, not Classic ASP):

Response.Cookies("setSecure") = "someValue"
Response.Cookies("setSecure").Secure = true
Community
  • 1
  • 1
JDog
  • 19
  • 1