views:

280

answers:

3

Hello all,

Does anyone know exactly how to set HTTPONLY on classic ASP session cookies?

This is the final thing that's been flagged in a vulnerability scan and needs fixing ASAP, so any help is appreciated.

~~~A LITTLE MORE INFORMATION ON MY PROBLEM~~~

Can anyone please help me with this?

I need to know how to set HTTPONLY on the ASPSESSION cookie created by default from ASP & IIS.

This is the cookie automatically created by the server for all asp pages.

If needed i can set HTTPONLY on all cookie across the site.

Any help on how to do this would be massively appreciated.

Thanks

Thanks Elliott

+2  A: 
Response.AddHeader "Set-Cookie", "CookieName=CookieValue; path=/; HttpOnly" 

Source: http://www.asp101.com/tips/index.asp?id=160

Martin Eve
E.Shafii
A: 

This page has lots of information that's relevant to your problem.

.NET 1.1 doesn't add HttpOnly because it hadn't been invented yet.

If your app will run under .NET 2.0 (I moved several Classic ASP sites to 2.0 virtually unchanged) HttpOnly is set by default.

If I read him right, you can get the Session cookie and append ; HttpOnly; to it. He gives a java example:

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");

Lastly, he suggests:

if code changes are infeasible, web application firewalls can be used to add HttpOnly to session cookies

egrunin
Downvote???????
egrunin
*Another* downvote-without-comment? If it's wrong, just say so, I'll fix it. Jeez.
egrunin
A: 

If it's that urgent, contact Microsoft and ask them.

Cape Cod Gunny