Cookie.HTTPOnly in classic ASP

2019-02-06 19:11发布

站内问答 / 移动开发
508 4 6

How to set all the cookie variables in a page to HTTPOnly in ASP?

标签: asp-classic
举报
4条回答
【Aperson】
2楼-- · 2019-02-06 19:31 
Response.AddHeader "Set-Cookie", ""&CStr(Request.ServerVariables("HTTP_COOKIE"))&";path=/;HttpOnly"&""
查看更多
0人赞 添加讨论(0) 举报
Animai°情兽
3楼-- · 2019-02-06 19:34

I'm afraid using the Response.Cookies collection will not work when setting HttpOnly (it's been driving me slowly mad!). As vbscript (well at least on the server i'm testing on) will character encode the semicolon.

Instead, add the header manually yourself, for example:

Response.AddHeader "Set-Cookie", "YourCookieName=YourCookieValue; path=/; HttpOnly"

There is a similar post on stackoverflow called: How exactly do you configure httpOnly Cookies in ASP Classic?

查看更多
0人赞 添加讨论(0) 举报
萌系小妹纸
4楼-- · 2019-02-06 19:43

I compiled the Microsoft's ISAPI filter example (http://msdn.microsoft.com/en-us/library/ms972826). This solved my problem.

The ISAPI DLL is here https://www.dropbox.com/s/e5mq749acms0rhx/HTTPOnly.dll?dl=0

Feel free to download.

查看更多
0人赞 添加讨论(0) 举报
对你真心纯属浪费
5楼-- · 2019-02-06 19:52

Ancient question, but I had to figure it out for a legacy app myself.

Classic ASP's Response.Cookies collection just won't do the trick for adding the HttpOnly tag. You need to use 

Response.AddHeader("Set-Cookie", useful_value)

to get this to work. If you try to set the Path attribute of an item in the Response.Cookies collection like this

Response.Cookies["stupid"].Path = "/; HttpOnly"

it helpfully URLEncodes the semicolon, thus corrupting the path.

So, I banged out a couple of classic asp functions for the purpose, offered here in solidarity with everybody living with classic asp. 

' given a Date item, return the text string suitable for a cookie's expires= field.
' For example: Tue, 02-Aug-2016 18:57:00 GMT
function RFC6265Date (inputDate)
  ' (we are on EST, Z-5, so offset the time. Classic ASP, no timezone support)
  dim date: date = DateAdd("h",5,inputDate)
  dim v : v = WeekdayName(Weekday(date),true) & ", "
  v = v & Right("00" & Day(date), 2) & "-" 
  v = v & MonthName(Month(date),true) & "-" & Year(date) & " "
  v = v & FormatDateTime(date,4) & ":00 GMT"

  RFC6265Date = v

end function

' make cookie header value including various security items
function RFC6265CookieValue(name, val, inputDate, domain)
'name=tok=val&tok=val&tok=val; domain=.glance.net; expires=Tue, 02-Aug-2016 18:57:00 GMT; path=/; HttpOnly; secure

    dim cv : cv = name & "="
    cv = cv & val & "; "
    if inputDate <> "" then
      cv = cv & "expires=" & RFC6265Date(inputDate) & "; "
    end if
    if domain <> "" then
      cv = cv & "domain=" & domain & "; "
    end if
    cv = cv & "path=/; HttpOnly; Secure"

    RFC6265CookieValue = cv

end function

To use this, call it like this

Response.AddHeader "Set-Cookie", _
                   RFC6265CookieValue( _
                     "cookiename",  _
                     "size=big&flavor=chocolate+chip" _
                     DateAdd("yyyy", 1, Now()), domain), _
                     "example.com"

(Classic ASP is like disco. A generation later, it still sucks.)

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)