Classic ASP ASPSessionID cookie HTTPOnly
in [ASP]
|
Prev: Read an element from XML in ASP
Next: Global.asa
From: Andrew on 18 Jan 2010 05:39 Hi, We have a classic ASP (not .Net) application that has been audited for security by a third party company. They recommend that we set the ASPSESSIONID Cookie, ie the one that is autogenerated for sessions, to use the HTTPOnly attribute. I can set this for cookies I explicitly create but cannot find any way in classic ASP to set this for the automatically generated one. Could someone please advise if this is possible so I can go back with a definitive answer? BR Andrew
From: Bob Barrows on 18 Jan 2010 09:28 Andrew wrote: > Hi, > > We have a classic ASP (not .Net) application that has been audited for > security by a third party company. They recommend that we set the > ASPSESSIONID Cookie, ie the one that is autogenerated for sessions, > to use the HTTPOnly attribute. > > I can set this for cookies I explicitly create but cannot find any > way in classic ASP to set this for the automatically generated one. > > Could someone please advise if this is possible so I can go back with > a definitive answer? > I don't know the answer, sorry (I never use cookies and have never had to worry about this attribute). If you get no replies here, you should try the ..inetserver.iis group. -- Microsoft MVP - ASP/ASP.NET - 2004-2007 Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
From: Bob Barrows on 18 Jan 2010 09:41 Andrew wrote: > Hi, > > We have a classic ASP (not .Net) application that has been audited for > security by a third party company. They recommend that we set the > ASPSESSIONID Cookie, ie the one that is autogenerated for sessions, > to use the HTTPOnly attribute. > > I can set this for cookies I explicitly create but cannot find any > way in classic ASP to set this for the automatically generated one. > > Could someone please advise if this is possible so I can go back with > a definitive answer? > I've done some googling and this seems relevant: http://stackoverflow.com/questions/55296/how-exactly-do-you-configure-httponly-cookies-in-asp-classic Note: "HttpOnly does very little to improve the security of web applications. For one thing, it only works in IE (Firefox "supports" it, but still discloses cookies to Javascript in some situations). For another thing, it only prevents a "drive-by" attack against your application; it does nothing to keep a cross-site scripting attack from resetting passwords, changing email addresses, or placing orders." -- Microsoft MVP - ASP/ASP.NET - 2004-2007 Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
From: Dan on 18 Jan 2010 10:12 "Andrew" <Andrew(a)discussions.microsoft.com> wrote in message news:B793BDE4-8304-44B8-850E-79E57BF31D92(a)microsoft.com... > Hi, > > We have a classic ASP (not .Net) application that has been audited for > security by a third party company. They recommend that we set the > ASPSESSIONID Cookie, ie the one that is autogenerated for sessions, to use > the HTTPOnly attribute. > > I can set this for cookies I explicitly create but cannot find any way in > classic ASP to set this for the automatically generated one. > > Could someone please advise if this is possible so I can go back with a > definitive answer? > > BR > > Andrew I don't think this is possible - .NET 2.0 automatically adds the HTTPOnly flag to automatically generated cookies (session ID and forms authentication) for ASP.NET applications, but classic ASP and .NET 1.1 do not. I guess it might be possible to parse the cookies sent by the browser on a subsequent request and rebuild the ASPSESSIONIDxxx cookie manually, adding the HTTPOnly flag, but I don't know whether it will work. If client code really wants to read or change that cookie then it can just use an AJAX call to do so anyway, so I wouldn't lose any sleep over it. -- Dan
From: Andrew on 15 Feb 2010 07:01 "Bob Barrows" wrote: > Andrew wrote: > > Hi, > > > > We have a classic ASP (not .Net) application that has been audited for > > security by a third party company. They recommend that we set the > > ASPSESSIONID Cookie, ie the one that is autogenerated for sessions, > > to use the HTTPOnly attribute. > > > > I can set this for cookies I explicitly create but cannot find any > > way in classic ASP to set this for the automatically generated one. > > > > Could someone please advise if this is possible so I can go back with > > a definitive answer? > > > I've done some googling and this seems relevant: > http://stackoverflow.com/questions/55296/how-exactly-do-you-configure-httponly-cookies-in-asp-classic > > Note: "HttpOnly does very little to improve the security of web > applications. For one thing, it only works in IE (Firefox "supports" it, but > still discloses cookies to Javascript in some situations). For another > thing, it only prevents a "drive-by" attack against your application; it > does nothing to keep a cross-site scripting attack from resetting passwords, > changing email addresses, or placing orders." > > -- > Microsoft MVP - ASP/ASP.NET - 2004-2007 > Please reply to the newsgroup. This email account is my spam trap so I > don't check it very often. If you must reply off-line, then remove the > "NO SPAM" > > > . > Thanks very much to everyone for their responses to this post. It has been helpful in allowing me to go back with a definitive answer to the client. I suspect I need to apologise to the group also, I did not see my posting appear initially so thinking I had done something wrong I reposted it, inadvertent spam I assure you. BR Andrew
|
Pages: 1 Prev: Read an element from XML in ASP Next: Global.asa |