views:

1788

answers:

2

Is there a way to mark classic ASP ASPSESSIONID* cookies as secure? It appears that the ASP ISAPI handler adds that session id cookie after my page is done rendering so putting code at the end of my page to loop through the Response.Cookie collection and mark them as secure doesn't seem to touch the ASPSESSIONID* cookie. Any other way of doing this?

+3  A: 

The answer is no there isn't There isn't on the standard UI provided by IIS manager. However, you can enable secure cookies for the SessionID via the AspKeepSessionIDSecure Metabase value

AnthonyWJones
Since my site is expecting that all communication is via https, I'd like to know that the cookie won't be transmitted insecure. Pages 8-10 of the following document explain why the secure flag is needed:http://www.isecpartners.com/files/web-session-management.pdf
slolife
Assuming all traffic is over HTTPS then it won't be. There is a possiblity that it might be if the user removes the 's' from http and tries to talk to your site. But even if they do what is the harm in that if your site only uses Https?
AnthonyWJones
I completely agree with you that it is far fetched, but one of our clients, in reviewing our code, brought this up as an issue. Not a high priority issue, but something I wanted to investigate.Even though the server doesn't talk http, the browser doesn't know that and will send the cookie over http since the Secure bit is not set on the cookie.
slolife
BTW, this link: http://www.microsoft.com/technet/security/bulletin/MS00-080.mspxMakes me think it is possible or even supported. The article talks about IIS4 or 5, but I am running 5.1 and 6.Do you have documentation that supports your answer of "No, it is not possible"?
slolife
No, in fact I've just found some documentation that shows how it is possible ;).
AnthonyWJones
A: 

[Edit: You can ignore the following. I just realized that you were talking about ASPSESSIONID.}

There is built-in support for secure cookies.

See http://msdn.microsoft.com/en-us/library/ms524757.aspx

Example:

Response.Cookies("setSecure") = "someValue"
Response.Cookies("setSecure").Secure = true
JDog