Server Side Cookie Injection

Question

I have an app that is a combination of asp/asp.net, and both sides depend on the same cookies (they are in the same domain). There are some values in the cookies that I don't want going to the client anymore due to security concerns. What I was hoping to accomplish is to take out these values so they no longer go to the client, and then on every server request, somehow "inject" the values back into the cookie so the app will still function properly.

Is this even possible? I thought it might be through ISAPI, but I don't know c++ to well.

Answer 1

Use the Set-Cookie header.

"Set-Cookie:Test=test_value; expires=Sat, 01-Jan-2000 00:00:00 GMT; path=/;"

Providing a back date for 'expires' will delete the cookie from the client.

Answer 2

I think that isapi filter is your only option. If you don't want to use c++ than it can be done in python.

Other option is to upgrade the server to windows 2008. In IIS 7 it is possible to write isapi filter in .net language.

Changing the applications is much saner option.

Answer 3

Just a guess since the question isn't specific, but if the reason you don't want the info in the cookie is to keep someone from reading it and using it for other purposes, you may want to look at some sort of reversible encryption or some other obfuscation technique to keep the information from being human-readable.

I don't know if Session or App variables can be read by both ASP and ASP.NET, but you may also want to look into using a database table to store the information and just give them a session ID that's used to look it up. Kind of like an ad hoc Session variable.

To get a better answer, you might want to edit the question to be more specific about what "security issues" you are worried about. They may be non-issues or there may be a way of dealing with the issue itself that doesn't involve odd hacks.

As much as I'd like to say "Just change it all to one or the other" I understand that that isn't always an option. ;)