How to secure classic ASP ASPSESSIONID cookie?

后端 未结 4 1880
太阳男子
太阳男子 2021-01-04 22:31

Is there a way to mark classic ASP ASPSESSIONID* cookies as secure? It appears that the ASP ISAPI handler adds that session id cookie after my page is done rendering so put

相关标签:
4条回答
  • 2021-01-04 23:15

    I run this command:

    CSCRIPT C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/1/AspKeepSessionIDSecure 1

    More information here: http://blogs.msdn.com/b/rahulso/archive/2007/06/19/cookies-case-study-with-ssl-and-frames-classic-asp.aspx

    0 讨论(0)
  • 2021-01-04 23:15

    As found here, an UrlRewrite rule can handle this.

    The rules below handle it for adding both HttpOnly and Secure if they are missing on the ASPSESSIONID cookie. (For other cookies, normally they are emitted by the site ASP code: better handle that directly in the code responsible for them.)

    <system.webServer>
      <rewrite>
        <outboundRules>
          <rule name="Add HttpOnly" preCondition="No HttpOnly">
            <match serverVariable="RESPONSE_Set_Cookie" pattern="\s*ASPSESSIONID.*" />
            <action type="Rewrite" value="{R:0}; HttpOnly" />
          </rule>
          <rule name="Add Secure" preCondition="No Secure">
            <match serverVariable="RESPONSE_Set_Cookie" pattern="\s*ASPSESSIONID.*" />
            <action type="Rewrite" value="{R:0}; Secure" />
            <conditions>
              <add input="{HTTP_HOST}" pattern="localhost" negate="true" />
            </conditions>
          </rule>
          <preConditions>
            <preCondition name="No HttpOnly">
              <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
            </preCondition>
            <preCondition name="No Secure" logicalGrouping="MatchAll">
              <add input="{RESPONSE_Set_Cookie}" pattern="; Secure" negate="true" />
            </preCondition>
          </preConditions>
        </outboundRules>
      </rewrite>
    </system.webServer>
    

    If UrlRewrite is not installed in the IIS Server, this will crash the site.

    Note that the Secure rule should not be applied if the site is legitimately accessed over http instead of https, thus the condition for not emitting it when browsing it locally. If Secure is emitted for a site accessed over http from the client end, the client will not send the cookie back to the server.

    (I avoid testing the inbound protocol, because the sites I work on are not supposed to be accessed on http anyway, excepted eventually directly from their hosting server or load-balancer.)

    I have previously tried using asp/session/keepSessionIdSecure, but it has no effect (at least for a site behind a load-balancer terminating the https and accessing the site server over http). This setting is the modern version (IIS 7+) of the AspKeepSessionIDSecure Metabase value pointed by AnthonyWJones answer.

    0 讨论(0)
  • 2021-01-04 23:26

    [Edit: You can ignore the following. I just realized that you were talking about ASPSESSIONID.}

    There is built-in support for secure cookies.

    See http://msdn.microsoft.com/en-us/library/ms524757.aspx

    Example (for ASP.Net, not Classic ASP):

    Response.Cookies("setSecure") = "someValue"
    Response.Cookies("setSecure").Secure = true
    
    0 讨论(0)
  • 2021-01-04 23:28

    The answer is no there isn't There isn't on the standard UI provided by IIS manager. However, you can enable secure cookies for the SessionID via the AspKeepSessionIDSecure Metabase value

    0 讨论(0)
提交回复
热议问题