2

I have a client who runs his Classic ASP site under IIS 6.0. The web site is targeted for ASP.NET 2.0 in the ASP.NET configuration tab. A recent PCI Scan of his site is failing him with an HttpOnly vulnerability on his ASPSESSIONID cookie.

I have installed an ISAPI .dll that successfully sets HttpOnly on all manually created cookies, but ASPSESSIONID cookie is not effected by this for some reason.

I have set web.config with the following configuration:

<system.web>
    <httpCookies httpOnlyCookies="true" />
</system.web>

This configuration seems to have no effect whatsoever, on anything. I suspect, even though the web site is targeted for ASP.NET 2.0 it is afterall a Classic ASP application and HttpOnly wasn't supported at all.

The client's web site uses a global.asa instead of global.asax. This rules out using Application_EndRequest to add HttpOnly.

I can load up the client's site using Firefox/Firebug and see the cookies. Those manually created are getting HttpOnly set, but the ASPSESSIONID cookie is not HttpOnly.

Is anyone aware of how to cause the ASPSESSIONID cookie to be HttpOnly given this setup scenario?

rwkiii
  • 5,716
  • 18
  • 65
  • 114

2 Answers2

1

The ASP Session Cookie can not be modified by Classic ASP code, so for IIS 6 you would need to have ISAPI module rewrite the cookies.

Setting HTTPONLY for Classic Asp Session Cookie

http://msdn.microsoft.com/en-us/library/ms972826

Client side JavaScript workaround

http://ko-lwin.blogspot.com/2010/12/how-to-secure-classic-asp-session-id.html

Community
  • 1
  • 1
ThatGuyInIT
  • 2,239
  • 17
  • 20
  • 1
    I've installed the ISAPI filter to rewrite cookies. It successfully adds HttpOnly to manually created cookies, but does not effect the ASPSESSIONID cookie. The 2 links you gave are great, but just don't provide a solution for setting HttpOnly on ASPSESSIONID cookie specifically. – rwkiii Nov 27 '12 at 03:20
  • @rwkiii what ISAPI filter did you install? – ThatGuyInIT Nov 27 '12 at 03:25
  • The one in your second link, about half way down the page "The Good News: Mitigating Cross-Site Scripting Issues". – rwkiii Nov 27 '12 at 03:47
  • JavaScript I guess it is then =( Unless you can upgrade to IIS 7. – ThatGuyInIT Nov 27 '12 at 04:40
  • It's a live site too. Javascript is not my strong suit. Thanks Sean. – rwkiii Nov 27 '12 at 18:01
0

Request.ServerVariables("HTTP_COOKIE") will get the current cookie value, which you can then respond with the updated cookie, adding HttpOnly but only issue is if you are trying to pass a security scan, they often don't take the updated value for the cookie, only the initial.

tuson
  • 16
  • 3