Does anyone know exactly how to set HTT开发者_开发问答PONLY on classic ASP session cookies?
This is the final thing that's been flagged in a vulnerability scan and needs fixing ASAP, so any help is appreciated.
~~~A LITTLE MORE INFORMATION ON MY PROBLEM~~~
Can anyone please help me with this?
I need to know how to set HTTPONLY on the ASPSESSION cookie created by default from ASP & IIS.
This is the cookie automatically created by the server for all asp pages.
If needed i can set HTTPONLY on all cookie across the site.
Any help on how to do this would be massively appreciated.
Thanks
Thanks Elliott
Microsoft includes an example using an ISAPI filter to all outbound cookies: http://msdn.microsoft.com/en-us/library/ms972826
or URL rewriting could be used http://forums.iis.net/p/1168473/1946312.aspx
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
If you have IIS7 + you need to make sure the URL Rewrite module is installed. You can install it with the Web Platform Installer. The Web Platform Installer can be found in the features view for your website. You need to run IIS Manager as administrator.
Click on the Web Platform Installer in the features view for your website:
Maker sure the URL Rewrite Server Product is installed. If it isn't, then install it.
With the URL Rewrite Server Product installed, you can use the URL Rewrite Feature on your website to add a rule to add HttpOnly for your Session ID cookies.
You should see, if it doesn't already exist, a web.config file created for your ASP site. it will have the following contents:
If you use Firebug in Firefox to inspect your cookies, you should now see the HttpOnly flag set:
Response.AddHeader "Set-Cookie", "CookieName=CookieValue; path=/; HttpOnly"
Source: http://www.asp101.com/tips/index.asp?id=160
I compiled the Microsoft's ISAPI filter example. This solved my problem.
The ISAPI DLL is here
Feel free to download.
Setting the ASP session cookie as HttpOnly can be done in web.config using URLrewrite:
<rewrite>
<outboundRules>
<rule name="Secure ASP session cookie">
<match serverVariable="RESPONSE_Set_Cookie" pattern="ASPSESSIONID(.*)" negate="false" />
<!--<action type="Rewrite" value="ASPSESSIONID{R:1}; HttpOnly; Secure" />-->
<action type="Rewrite" value="ASPSESSIONID{R:1}; HttpOnly" />
</rule>
</outboundRules>
</rewrite>
It's also possible to use URLrewrite to make all cookies HttpOnly / Secure, but sometimes you need cookies to be readable in JavaScript, so here's a collection of functions and sub routines I wrote a while ago for creating regular cookies that can enable or disable "HttpOnly" and "Secure":
' *********************************************************************************************************
' Set a cookie
' *********************************************************************************************************
sub set_cookie(cookie_name,cookie_value,cookie_path,http_only,secure,expire)
Dim cookie_header, split_expire, expire_value
' Set the cookie name and value. The value must be URL encoded.
cookie_header = cookie_name & "=" & server.URLEncode(cookie_value) & "; "
' To set cookies that can be accessed by sub domains, you need to specify the domain as
' ".mydomain.com". If no domain is specified then the cookie will be set as "host only",
' and only be accessible to the domain it was set on. Un-comment to disable host only:
'cookie_header = cookie_header & "Domain=.mydomain.com; "
' Check the expire value for a specific expiry length (e.g; "1 year")
' For session cookies, the expiry should be set to null.
if NOT isDate(expire) AND NOT isNull(expire) then
' Remove any double spaces and trim the value.
expire = replace(expire," "," ")
expire = trim(expire)
' Split on space to separate the expiry value from the expiry unit.
split_expire = split(expire," ")
' A uBound value of 1 is expected
if uBound(split_expire) = 1 then
expire_value = split_expire(0)
if NOT isNumeric(expire_value) then exit sub
expire_value = int(expire_value)
select case lCase(split_expire(1))
case "minute","minutes"
expire = DateAdd("n",expire_value,Now())
case "hour","hours"
expire = DateAdd("h",expire_value,Now())
case "day","days"
expire = DateAdd("d",expire_value,Now())
case "week","weeks"
expire = DateAdd("ww",expire_value,Now())
case "month","months"
expire = DateAdd("m",expire_value,Now())
case "year","years"
expire = DateAdd("yyyy",expire_value,Now())
case else
' unknown expiry unit, exit sub
exit sub
end select
else
' Unexpected uBound. This means no space was included when specifying the expiry length
' or multiple spaces were included.
exit sub
end if
end if
' Set the expiry date if there is one. If the expiry value is null then no expiry date will be set and
' the cookie will expire when the session does (a session cookie).
' The expiry date can only be UTC or GMT. Be sure to check your servers timezone and adjust accordingly.
if isDate(expire) then
' The cookie date needs to be formatted as:
' WeekDayName(shortened), day-monthName(shortened)-year timestamp(00:00:00) GMT/UTC
expire = cDate(expire)
cookie_header = cookie_header & "expires=" &_
weekday_name(WeekDay(expire),true) & ", " &_
ZeroPad(Day(expire)) & "-" &_
month_name(Month(expire),true) & "-" &_
year(expire) & " " &_
timeFromDate(expire) & " UTC; "
end if
cookie_header = cookie_header & "path=" & cookie_path & "; "
' HttpOnly means cookies can only be read over a HTTP (or HTTPS) connection.
' This prevents JavaScript from being able to read any cookies set as HttpOnly.
' HttpOnly should always be used unless you're setting a cookie that needs to
' be accessed by JavaScript (a CSRF token cookie for example).
if http_only then
cookie_header = cookie_header & "HttpOnly; "
end if
' A "secure" cookie means the cookie can only be accessed over a HTTPS connection.
' If we try to create a secure cookie over a none HTTPS connection it will be
' rejected by most browsers. So check the HTTPS protocol is ON before setting a
' cookie as secure. This check is particularly useful when running on a localhost,
' most localhosts don't use HTTPS, so trying to set a Secure cookie won't work.
if secure AND uCase(request.ServerVariables("HTTPS")) = "ON" then
cookie_header = cookie_header & "Secure; "
end if
' Add the header and remove the trailing ";"
response.AddHeader "Set-Cookie",left(cookie_header,len(cookie_header)-2)
end sub
' *********************************************************************************************************
' Delete a cookie
' *********************************************************************************************************
sub delete_cookie(cookie_name)
' There is no header for deleting cookies. Instead, cookies are modified to a date that
' has already expired and the users browser will delete the expired cookie for us.
response.AddHeader "Set-Cookie",cookie_name & "=; " &_
"expires=Thu, 01-Jan-1970 00:00:00 UTC; path=/"
end sub
' *********************************************************************************************************
' When the LCID is set to 1033 (us) vbLongTime formats in 12hr with AM / PM, this is invalid for a cookie
' timestamp. Instead, we use vbShortTime which returns the hour and minute as 24hr with any LCID, then use
' vbLongTime to get the seconds, and join the two together.
' *********************************************************************************************************
function timeFromDate(ByVal theDate)
Dim ts_secs : ts_secs = split(FormatDateTime(theDate,vbLongTime),":")
if uBound(ts_secs) = 2 then
timeFromDate = FormatDateTime(theDate,vbShortTime) & ":" & left(ts_secs(2),2)
else
timeFromDate = "00:00:00"
end if
end function
' *********************************************************************************************************
' WeekDayName and MonthName will return a value in the native language based on the LCID.
' These are custom functions used to return the weekday and month names in english,
' reguardless of the LCID
' *********************************************************************************************************
function weekday_name(weekday_val, shorten)
select case weekday_val
case 1
if shorten then weekday_name = "Sun" else weekday_name = "Sunday"
case 2
if shorten then weekday_name = "Mon" else weekday_name = "Monday"
case 3
if shorten then weekday_name = "Tue" else weekday_name = "Tuesday"
case 4
if shorten then weekday_name = "Wed" else weekday_name = "Wednesday"
case 5
if shorten then weekday_name = "Thu" else weekday_name = "Thursday"
case 6
if shorten then weekday_name = "Fri" else weekday_name = "Friday"
case 7
if shorten then weekday_name = "Sat" else weekday_name = "Saturday"
end select
end function
function month_name(month_val, shorten)
select case month_val
case 1
if shorten then month_name = "Jan" else month_name = "January"
case 2
if shorten then month_name = "Feb" else month_name = "February"
case 3
if shorten then month_name = "Mar" else month_name = "March"
case 4
if shorten then month_name = "Apr" else month_name = "April"
case 5
month_name = "May"
case 6
if shorten then month_name = "Jun" else month_name = "June"
case 7
if shorten then month_name = "Jul" else month_name = "July"
case 8
if shorten then month_name = "Aug" else month_name = "August"
case 9
if shorten then month_name = "Sep" else month_name = "September"
case 10
if shorten then month_name = "Oct" else month_name = "October"
case 11
if shorten then month_name = "Nov" else month_name = "November"
case 12
if shorten then month_name = "Dec" else month_name = "December"
end select
end function
' *********************************************************************************************************
' Prefix a 1 digit number with a 0. Used in date formatting
' *********************************************************************************************************
function zeroPad(theNum)
if len(theNum) = 1 then
zeroPad = cStr("0" & theNum)
else
zeroPad = theNum
end if
end function
Examples:
' **************************************************************************************************************
' set_cookie(COOKIE NAME, COOKIE VALUE, COOKIE PATH, HTTPONLY (BOOLEAN), SECURE (BOOLEAN), EXPIRY DATE / LENGTH)
' **************************************************************************************************************
' Expire on a specific date:
call set_cookie("cookie_name1","cookie value","/",true,true,"15 Jan 2019 12:12:12")
call set_cookie("cookie_name2","cookie value","/",true,true,"15 January 2019 12:12:12")
call set_cookie("cookie_name3","cookie value","/",true,true,"Jan 15 2019 12:12:12")
call set_cookie("cookie_name4","cookie value","/",true,true,"January 15 2019 12:12:12")
call set_cookie("cookie_name5","cookie value","/",true,true,"Jan 15 2019")
call set_cookie("cookie_name6","cookie value","/",true,true,"January 15 2019")
' Expire when the session ends (a sesson cookie):
call set_cookie("cookie_name7","cookie value","/",true,true,null)
' Specify an expiry length:
call set_cookie("cookie_name8","cookie value","/",true,true,"20 minutes")
call set_cookie("cookie_name9","cookie value","/",true,true,"1 hour")
call set_cookie("cookie_name10","cookie value","/",true,true,"10 days")
call set_cookie("cookie_name11","cookie value","/",true,true,"3 weeks")
call set_cookie("cookie_name12","cookie value","/",true,true,"1 year")
' Delete a cookie:
call delete_cookie("cookie_name")
' This would also work for deleting a cookie:
call set_cookie("cookie_name","","/",false,false,"-1 year")
old but good, add this in a globally included asp :
Dim AspSessionCookie
AspSessionCookie = Request.ServerVariables("HTTP_COOKIE")
If instr(AspSessionCookie,"ASPSESSIONID") > 0 Then
AspSessionCookie = "ASPSESSIONID" & Split(AspSessionCookie,"ASPSESSIONID")(1)
If InStr(1,AspSessionCookie,";") then
AspSessionCookie = Split(AspSessionCookie,";")(0)
End If
Response.AddHeader "Set-Cookie", AspSessionCookie & ";HttpOnly"
End If
This page has lots of information that's relevant to your problem.
.NET 1.1 doesn't add HttpOnly
because it hadn't been invented yet.
If your app will run under .NET 2.0 (I moved several Classic ASP sites to 2.0 virtually unchanged) HttpOnly is set by default.
If I read him right, you can get the Session cookie and append ; HttpOnly;
to it. He gives a java example:
String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
Lastly, he suggests:
if code changes are infeasible, web application firewalls can be used to add HttpOnly to session cookies
Edited to add: to those who think migrating to .NET (which can accommodate most Classic ASP code unchanged) is too drastic a change to get such a small feature, my experience of ISAPI filters is that they, too, can be a major pain, and in some common situations (shared hosting) you can't use them at all.
精彩评论