Classic ASP ASPSessionID cookie HTTPOnly

Discussion in 'ASP General' started by Andrew, Jan 18, 2010.

  1. Andrew

    Andrew Guest

    Hi,

    We have a classic ASP (not .Net) application that has been audited for
    security by a third party company. They recommend that we set the
    ASPSESSIONID Cookie, ie the one that is autogenerated for sessions, to use
    the HTTPOnly attribute.

    I can set this for cookies I explicitly create but cannot find any way in
    classic ASP to set this for the automatically generated one.

    Could someone please advise if this is possible so I can go back with a
    definitive answer?

    BR

    Andrew
     
    Andrew, Jan 18, 2010
    #1
    1. Advertisements

  2. Andrew

    Bob Barrows Guest

    I don't know the answer, sorry (I never use cookies and have never had to
    worry about this attribute). If you get no replies here, you should try the
    ..inetserver.iis group.
     
    Bob Barrows, Jan 18, 2010
    #2
    1. Advertisements

  3. Andrew

    Bob Barrows Guest

    I've done some googling and this seems relevant:
    http://stackoverflow.com/questions/...you-configure-httponly-cookies-in-asp-classic

    Note: "HttpOnly does very little to improve the security of web
    applications. For one thing, it only works in IE (Firefox "supports" it, but
    still discloses cookies to Javascript in some situations). For another
    thing, it only prevents a "drive-by" attack against your application; it
    does nothing to keep a cross-site scripting attack from resetting passwords,
    changing email addresses, or placing orders."
     
    Bob Barrows, Jan 18, 2010
    #3
  4. Andrew

    Dan Guest


    I don't think this is possible - .NET 2.0 automatically adds the HTTPOnly
    flag to automatically generated cookies (session ID and forms
    authentication) for ASP.NET applications, but classic ASP and .NET 1.1 do
    not. I guess it might be possible to parse the cookies sent by the browser
    on a subsequent request and rebuild the ASPSESSIONIDxxx cookie manually,
    adding the HTTPOnly flag, but I don't know whether it will work. If client
    code really wants to read or change that cookie then it can just use an AJAX
    call to do so anyway, so I wouldn't lose any sleep over it.
     
    Dan, Jan 18, 2010
    #4
  5. Andrew

    Andrew Guest

    Thanks very much to everyone for their responses to this post. It has been
    helpful in allowing me to go back with a definitive answer to the client.

    I suspect I need to apologise to the group also, I did not see my posting
    appear initially so thinking I had done something wrong I reposted it,
    inadvertent spam I assure you.

    BR

    Andrew
     
    Andrew, Feb 15, 2010
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.