How to secure classic ASP ASPSESSIONID cookie?

2019-02-12 22:57发布

站内问答 / 前沿技术
1695 4 5

Is there a way to mark classic ASP ASPSESSIONID* cookies as secure? It appears that the ASP ISAPI handler adds that session id cookie after my page is done rendering so putting code at the end of my page to loop through the Response.Cookie collection and mark them as secure doesn't seem to touch the ASPSESSIONID* cookie. Any other way of doing this?

4条回答
我只想做你的唯一
2楼-- · 2019-02-12 23:33

As found here, an UrlRewrite rule can handle this.

The rules below handle it for adding both HttpOnly and Secure if they are missing on the ASPSESSIONID cookie. (For other cookies, normally they are emitted by the site ASP code: better handle that directly in the code responsible for them.)

<system.webServer>
  <rewrite>
    <outboundRules>
      <rule name="Add HttpOnly" preCondition="No HttpOnly">
        <match serverVariable="RESPONSE_Set_Cookie" pattern="\s*ASPSESSIONID.*" />
        <action type="Rewrite" value="{R:0}; HttpOnly" />
      </rule>
      <rule name="Add Secure" preCondition="No Secure">
        <match serverVariable="RESPONSE_Set_Cookie" pattern="\s*ASPSESSIONID.*" />
        <action type="Rewrite" value="{R:0}; Secure" />
        <conditions>
          <add input="{HTTP_HOST}" pattern="localhost" negate="true" />
        </conditions>
      </rule>
      <preConditions>
        <preCondition name="No HttpOnly">
          <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
        </preCondition>
        <preCondition name="No Secure" logicalGrouping="MatchAll">
          <add input="{RESPONSE_Set_Cookie}" pattern="; Secure" negate="true" />
        </preCondition>
      </preConditions>
    </outboundRules>
  </rewrite>
</system.webServer>

If UrlRewrite is not installed in the IIS Server, this will crash the site.

Note that the Secure rule should not be applied if the site is legitimately accessed over http instead of https, thus the condition for not emitting it when browsing it locally. If Secure is emitted for a site accessed over http from the client end, the client will not send the cookie back to the server.

(I avoid testing the inbound protocol, because the sites I work on are not supposed to be accessed on http anyway, excepted eventually directly from their hosting server or load-balancer.)

I have previously tried using asp/session/keepSessionIdSecure, but it has no effect (at least for a site behind a load-balancer terminating the https and accessing the site server over http). This setting is the modern version (IIS 7+) of the AspKeepSessionIDSecure Metabase value pointed by AnthonyWJones answer.

查看更多
0人赞 添加讨论(0) 举报
手持菜刀,她持情操
3楼-- · 2019-02-12 23:45

The answer is no there isn't There isn't on the standard UI provided by IIS manager. However, you can enable secure cookies for the SessionID via the AspKeepSessionIDSecure Metabase value

查看更多
0人赞 添加讨论(0) 举报
何必那么认真
4楼-- · 2019-02-12 23:45

I run this command:

CSCRIPT C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/1/AspKeepSessionIDSecure 1

More information here: http://blogs.msdn.com/b/rahulso/archive/2007/06/19/cookies-case-study-with-ssl-and-frames-classic-asp.aspx

查看更多
0人赞 添加讨论(0) 举报
兄弟一词,经得起流年.
5楼-- · 2019-02-12 23:51

[Edit: You can ignore the following. I just realized that you were talking about ASPSESSIONID.}

There is built-in support for secure cookies.

See http://msdn.microsoft.com/en-us/library/ms524757.aspx

Example (for ASP.Net, not Classic ASP):

Response.Cookies("setSecure") = "someValue"
Response.Cookies("setSecure").Secure = true
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)