Setting HTTPONLY for Classic Asp Session Cookie

Question

Hello all,

Does anyone know exactly how to set HTTPONLY on classic ASP session cookies?

This is the final thing that's been flagged in a vulnerability scan and needs fixing ASAP, so any help is appreciated.

~~~A LITTLE MORE INFORMATION ON MY PROBLEM~~~

Can anyone please help me with this?

I need to know how to set HTTPONLY on the ASPSESSION cookie created by default from ASP & IIS.

This is the cookie automatically created by the server for all asp pages.

If needed i can set HTTPONLY on all cookie across the site.

Any help on how to do this would be massively appreciated.

Thanks

Thanks Elliott

Answer 1

Response.AddHeader "Set-Cookie", "CookieName=CookieValue; path=/; HttpOnly" 

Source: http://www.asp101.com/tips/index.asp?id=160

Answer 2

This page has lots of information that's relevant to your problem.

.NET 1.1 doesn't add HttpOnly because it hadn't been invented yet.

If your app will run under .NET 2.0 (I moved several Classic ASP sites to 2.0 virtually unchanged) HttpOnly is set by default.

If I read him right, you can get the Session cookie and append ; HttpOnly; to it. He gives a java example:

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");

Lastly, he suggests:

if code changes are infeasible, web application firewalls can be used to add HttpOnly to session cookies

Answer 3

If it's that urgent, contact Microsoft and ask them.