How to set all the cookie variables in a page to HTTPOnly in ASP?
可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
回答1:
I'm afraid using the Response.Cookies collection will not work when setting HttpOnly (it's been driving me slowly mad!). As vbscript (well at least on the server i'm testing on) will character encode the semicolon.
Instead, add the header manually yourself, for example:
Response.AddHeader "Set-Cookie", "YourCookieName=YourCookieValue; path=/; HttpOnly"
There is a similar post on stackoverflow called: How exactly do you configure httpOnly Cookies in ASP Classic?
回答2:
I compiled the Microsoft's ISAPI filter example (http://msdn.microsoft.com/en-us/library/ms972826). This solved my problem.
The ISAPI DLL is here https://www.dropbox.com/s/e5mq749acms0rhx/HTTPOnly.dll?dl=0
Feel free to download.
回答3:
Response.AddHeader "Set-Cookie", ""&CStr(Request.ServerVariables("HTTP_COOKIE"))&";path=/;HttpOnly"&""
回答4:
Ancient question, but I had to figure it out for a legacy app myself.
Classic ASP's Response.Cookies collection just won't do the trick for adding the HttpOnly tag. You need to use
Response.AddHeader("Set-Cookie", useful_value)
to get this to work. If you try to set the Path attribute of an item in the Response.Cookies collection like this
Response.Cookies["stupid"].Path = "/; HttpOnly"
it helpfully URLEncodes the semicolon, thus corrupting the path.
So, I banged out a couple of classic asp functions for the purpose, offered here in solidarity with everybody living with classic asp.
' given a Date item, return the text string suitable for a cookie's expires= field.
' For example: Tue, 02-Aug-2016 18:57:00 GMT
function RFC6265Date (inputDate)
' (we are on EST, Z-5, so offset the time. Classic ASP, no timezone support)
dim date: date = DateAdd("h",5,inputDate)
dim v : v = WeekdayName(Weekday(date),true) & ", "
v = v & Right("00" & Day(date), 2) & "-"
v = v & MonthName(Month(date),true) & "-" & Year(date) & " "
v = v & FormatDateTime(date,4) & ":00 GMT"
RFC6265Date = v
end function
' make cookie header value including various security items
function RFC6265CookieValue(name, val, inputDate, domain)
'name=tok=val&tok=val&tok=val; domain=.glance.net; expires=Tue, 02-Aug-2016 18:57:00 GMT; path=/; HttpOnly; secure
dim cv : cv = name & "="
cv = cv & val & "; "
if inputDate <> "" then
cv = cv & "expires=" & RFC6265Date(inputDate) & "; "
end if
if domain <> "" then
cv = cv & "domain=" & domain & "; "
end if
cv = cv & "path=/; HttpOnly; Secure"
RFC6265CookieValue = cv
end function
To use this, call it like this
Response.AddHeader "Set-Cookie", _
RFC6265CookieValue( _
"cookiename", _
"size=big&flavor=chocolate+chip" _
DateAdd("yyyy", 1, Now()), domain), _
"example.com"
(Classic ASP is like disco. A generation later, it still sucks.)
标签:
asp-classic
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 该账号已被封号 的文章《Cookie.HTTPOnly in classic ASP》','https://www.manongdao.com/article-331012.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}