Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Classic ASP ASPSessionID cookie HTTPOnly

Reply
Thread Tools

Classic ASP ASPSessionID cookie HTTPOnly

 
 
Andrew
Guest
Posts: n/a
 
      01-18-2010
Hi,

We have a classic ASP (not .Net) application that has been audited for
security by a third party company. They recommend that we set the
ASPSESSIONID Cookie, ie the one that is autogenerated for sessions, to use
the HTTPOnly attribute.

I can set this for cookies I explicitly create but cannot find any way in
classic ASP to set this for the automatically generated one.

Could someone please advise if this is possible so I can go back with a
definitive answer?

BR

Andrew
 
Reply With Quote
 
 
 
 
Bob Barrows
Guest
Posts: n/a
 
      01-18-2010
Andrew wrote:
> Hi,
>
> We have a classic ASP (not .Net) application that has been audited for
> security by a third party company. They recommend that we set the
> ASPSESSIONID Cookie, ie the one that is autogenerated for sessions,
> to use the HTTPOnly attribute.
>
> I can set this for cookies I explicitly create but cannot find any
> way in classic ASP to set this for the automatically generated one.
>
> Could someone please advise if this is possible so I can go back with
> a definitive answer?
>

I don't know the answer, sorry (I never use cookies and have never had to
worry about this attribute). If you get no replies here, you should try the
..inetserver.iis group.

--
Microsoft MVP - ASP/ASP.NET - 2004-2007
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


 
Reply With Quote
 
 
 
 
Bob Barrows
Guest
Posts: n/a
 
      01-18-2010
Andrew wrote:
> Hi,
>
> We have a classic ASP (not .Net) application that has been audited for
> security by a third party company. They recommend that we set the
> ASPSESSIONID Cookie, ie the one that is autogenerated for sessions,
> to use the HTTPOnly attribute.
>
> I can set this for cookies I explicitly create but cannot find any
> way in classic ASP to set this for the automatically generated one.
>
> Could someone please advise if this is possible so I can go back with
> a definitive answer?
>

I've done some googling and this seems relevant:
http://stackoverflow.com/questions/5...in-asp-classic

Note: "HttpOnly does very little to improve the security of web
applications. For one thing, it only works in IE (Firefox "supports" it, but
still discloses cookies to Javascript in some situations). For another
thing, it only prevents a "drive-by" attack against your application; it
does nothing to keep a cross-site scripting attack from resetting passwords,
changing email addresses, or placing orders."

--
Microsoft MVP - ASP/ASP.NET - 2004-2007
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


 
Reply With Quote
 
Dan
Guest
Posts: n/a
 
      01-18-2010

"Andrew" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> We have a classic ASP (not .Net) application that has been audited for
> security by a third party company. They recommend that we set the
> ASPSESSIONID Cookie, ie the one that is autogenerated for sessions, to use
> the HTTPOnly attribute.
>
> I can set this for cookies I explicitly create but cannot find any way in
> classic ASP to set this for the automatically generated one.
>
> Could someone please advise if this is possible so I can go back with a
> definitive answer?
>
> BR
>
> Andrew



I don't think this is possible - .NET 2.0 automatically adds the HTTPOnly
flag to automatically generated cookies (session ID and forms
authentication) for ASP.NET applications, but classic ASP and .NET 1.1 do
not. I guess it might be possible to parse the cookies sent by the browser
on a subsequent request and rebuild the ASPSESSIONIDxxx cookie manually,
adding the HTTPOnly flag, but I don't know whether it will work. If client
code really wants to read or change that cookie then it can just use an AJAX
call to do so anyway, so I wouldn't lose any sleep over it.

--
Dan

 
Reply With Quote
 
Andrew
Guest
Posts: n/a
 
      02-15-2010


"Bob Barrows" wrote:

> Andrew wrote:
> > Hi,
> >
> > We have a classic ASP (not .Net) application that has been audited for
> > security by a third party company. They recommend that we set the
> > ASPSESSIONID Cookie, ie the one that is autogenerated for sessions,
> > to use the HTTPOnly attribute.
> >
> > I can set this for cookies I explicitly create but cannot find any
> > way in classic ASP to set this for the automatically generated one.
> >
> > Could someone please advise if this is possible so I can go back with
> > a definitive answer?
> >

> I've done some googling and this seems relevant:
> http://stackoverflow.com/questions/5...in-asp-classic
>
> Note: "HttpOnly does very little to improve the security of web
> applications. For one thing, it only works in IE (Firefox "supports" it, but
> still discloses cookies to Javascript in some situations). For another
> thing, it only prevents a "drive-by" attack against your application; it
> does nothing to keep a cross-site scripting attack from resetting passwords,
> changing email addresses, or placing orders."
>
> --
> Microsoft MVP - ASP/ASP.NET - 2004-2007
> Please reply to the newsgroup. This email account is my spam trap so I
> don't check it very often. If you must reply off-line, then remove the
> "NO SPAM"
>
>
> .
>


Thanks very much to everyone for their responses to this post. It has been
helpful in allowing me to go back with a definitive answer to the client.

I suspect I need to apologise to the group also, I did not see my posting
appear initially so thinking I had done something wrong I reposted it,
inadvertent spam I assure you.

BR

Andrew
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Set HTTPOnly for Classic ASPSessionIDxxx cookie Andrew ASP General 1 01-28-2010 03:28 PM
Multiple ASPSESSIONID cookies JR ASP .Net 2 01-30-2009 11:18 PM
Server Times Out with ASPSESSIONID Cookie mike.biang@gmail.com ASP General 3 09-18-2006 09:26 PM
Applet and HttpOnly cookies in IE 6.0 SP1 Adarsh Bhat Java 2 07-14-2006 04:57 AM
Change ASPSessionID Joseph Shoe ASP General 26 07-21-2005 04:49 AM



Advertisments