Adding Same-site; Secure to Cookies in Classic ASP

Question

We are running a classic ASP website, and having issues with Cookies in Chrome browser. Chrome is enforcing the cookie to be set securely (https://www.chromestatus.com/feat

Answer 1

There is a problem with your current approach to setting the Response Cookie.

By using Response.Cookies after setting the header using Set-Cookie you are in effect creating a new empty cookie called "TestCookie". Instead, you want to incorporate the expiry into the existing Set-Cookie header.

Testing your code, this is the Response header contents:

<%
Function FormatCookieDateTime(interval, value, tz)
  Dim dt: dt = DateAdd(interval, value, Date())
  Dim tm: tm = Time()
  Dim result: result = WeekDayName(WeekDay(dt), True) & ", " & _
    Right("00" & Day(dt), 2) & "-" & _
    MonthName(Month(dt), True) & "-" & _
    Year(dt) & " " & _
    Right("00" & Hour(Time()), 2) & ":" & _
    Right("00" & Minute(Time()), 2) & ":" & _
    Right("00" & Second(Time()), 2) & " " & tz
  
  FormatCookieDateTime = result
End Function

Response.AddHeader "Set-Cookie", "TestCookie=This is a Test; path=/; SameSite=None; Secure; expires=" & FormatCookieDateTime("d", 1, "GMT")
%>

Built a function that makes setting the expiry using the correct format easier.

Remember Secure is for Secure Connections

Because you are setting two cookies (one via AddHeader() and one via Response.Cookie) it might not be clear but the first cookie with Secure set will be ignored by chrome if the connection is not using HTTPS. In fact, if you look at the request in Chrome Dev Tools you should see a warning symbol next to the Set-Cookie header that says (when hovered over) something along the lines of;

This set-cookie had the "Secure" attribute but was not received over a secure connection.

Answer 2

The standard Response.Cookies method doesn't work reliably with cookies set by using the more low-level Reponse.Addheader. I have experienced the same thing.

I'm not able to test, but you might want to try two things:

1. don't use these two instructions in the same ASP codeblock. My guess is that setting the cookie using AddHeader() will bypass classic ASP's cookie collection. So Classic ASP will not know that this cookie has been set. What you could try is setting this cookie on one page, sending it to the browser, and on a different page set the expiration.

2. Try and set the expiration using the same AddHeader() instruction. You will have to look up how this is done on a header level, but it should certainly be possible.

I have some example code online that sets a secure and HTTPOnly cookie, using Response.AddHeader(), but it doesn't set an expiration, which results in a cookie that expires when the browser(tab) is closed:

https://gitlab.com/erik4/classic-asp-book-examples/-/blob/master/global.asa