Classic ASP: How to check if ASPSESSIONID* cookie has been marked as secure?

Question

Hi All,

I am trying to mark the ASP session ID cookie as HttpOnly but can't seem to find a way to tell if it is working. The environment I am trying this in is as follows: OS: Windows Server 2003 IIS: 6 ASP Version: ASP 3 (Classic ASP)

In order to mark the cookie as http only, I followed MS KB

As per our architect's suggestion, to test whether this works, a javascript document.cookie should not be able to read the ASPSESSIONID* cookie. My issue is that javascript:alert(document.cookie) still echoes the ASPSESSIONID* cookie, albeit it appears to be encrypted(?)

I also tried to do this via Response.AddHeader "Set-Cookie" but can't determine what value to give for this header to mark all the cookies OR AT LEAST the ASP Session ID cookie as HttpOnly. Help!!!

Answer 1

I don't think your architect is correct regarding accessing the cookie in javascript.

There is no reason to stop javascript running in your page from accessing the cookie any more than javascript accessing the rest of your data in the HTML.

The purpose of adding the secure qualifier to a cookie is to prevent it from being sent in an unsecure request.

Oridinarily cookies set when the client is connected using https will still be sent when requests are made to the same server using plain http. The marking a cookie with the secure qualifier when its Set indicates to the client that it should only be sent in subsequent requests if those requests are using https.

Hence to test your setting get yourself a copy of fiddler, with that running hit the server over https then in the same browser session hit the same location with just http. Fiddler should show the second request going to the server and there should not be an ASPSESSION cookie present.