tags:

views:

1788

answers:

2
+1  Q: 

How to secure classic ASP ASPSESSIONID cookie?

Is there a way to mark classic ASP ASPSESSIONID* cookies as secure? It appears that the ASP ISAPI handler adds that session id cookie after my page is done rendering so putting code at the end of my page to loop through the Response.Cookie collection and mark them as secure doesn't seem to touch the ASPSESSIONID* cookie. Any other way of doing this?

+3  A: 

The answer is no there isn't There isn't on the standard UI provided by IIS manager. However, you can enable secure cookies for the SessionID via the AspKeepSessionIDSecure Metabase value

AnthonyWJones  2009-06-05 07:32:45
Since my site is expecting that all communication is via https, I'd like to know that the cookie won't be transmitted insecure. Pages 8-10 of the following document explain why the secure flag is needed:http://www.isecpartners.com/files/web-session-management.pdf
slolife  2009-06-05 16:59:07
Assuming all traffic is over HTTPS then it won't be. There is a possiblity that it might be if the user removes the 's' from http and tries to talk to your site. But even if they do what is the harm in that if your site only uses Https?
AnthonyWJones  2009-06-05 17:28:00
I completely agree with you that it is far fetched, but one of our clients, in reviewing our code, brought this up as an issue. Not a high priority issue, but something I wanted to investigate.Even though the server doesn't talk http, the browser doesn't know that and will send the cookie over http since the Secure bit is not set on the cookie.
slolife  2009-06-08 16:08:45
BTW, this link: http://www.microsoft.com/technet/security/bulletin/MS00-080.mspxMakes me think it is possible or even supported. The article talks about IIS4 or 5, but I am running 5.1 and 6.Do you have documentation that supports your answer of "No, it is not possible"?
slolife  2009-06-08 16:12:54
No, in fact I've just found some documentation that shows how it is possible ;).
AnthonyWJones  2009-06-09 08:10:43
A: 

[Edit: You can ignore the following. I just realized that you were talking about ASPSESSIONID.}

There is built-in support for secure cookies.

See http://msdn.microsoft.com/en-us/library/ms524757.aspx

Example:

Response.Cookies("setSecure") = "someValue"
Response.Cookies("setSecure").Secure = true
JDog  2010-10-22 16:49:15

related questions

asp consuming a web service, what do do with recordset object ?
How exactly do you configure httpOnly Cookies in ASP Classic?
Replace huge Case statement in Classic ASP
How do the CakePHP and codeigniter frameworks compare to the ASP.NET MVC framework?
Why do I get this error "[DBNETLIB][ConnectionRead (recv()).]General network error" with ASP pages
ASPSmartUpload v3.2
Are there benefits to Classic ASP over ASP.net
Why continue writing legacy systems?
Remote Debugging Server Side of a Web Application with Visual Studio 2008
Migrating from ASP Classic to .NET and pain mitigation
VBScript/ASP Classic
What is this 'Multiple-step OLE DB' error?
Code Classic ASP in Linux
How do I secure a folder used to let users upload files?
ASP/VBScript - Int() vs CInt()
What's the best way to manage a classic asp front-end using Visual Studio 2008?
Calling ASP.NET web service from ASP using SOAPClient
IIS 6/COM+ hangs
Select Query on 2 tables, on different database servers
Calling REST web services from a classic asp page
How to run remote shell scripts from ASP pages?
What is the IDE for classic ASP and VBScript?
Using ConfigurationManager to load config from an arbitrary location
What is the best way to iterate through an array in Classic Asp VBScript?
How do I build a collection in classic ASP?