Setting HttpOnly=true on ASP 1.1 Session ID cookie

Question

I have a client who runs his Classic ASP site under IIS 6.0. The web site is targeted for ASP.NET 2.0 in the ASP.NET configuration tab. A recent PCI Scan of his site is failing him with an HttpOnly vulnerability on his ASPSESSIONID cookie.

I have installed an ISAPI .dll that successfully sets HttpOnly on all manually created cookies, but ASPSESSIONID cookie is not effected by this for some reason.

I have set web.config with the following configuration:

<system.web>
    <httpCookies httpOnlyCookies="true" />
</system.web>

This configuration seems to have no effect whatsoever, on anything. I suspect, even though the web site is targeted for ASP.NET 2.0 it is afterall a Classic ASP application and HttpOnly wasn't supported at all.

The client's web site uses a global.asa instead of global.asax. This rules out using Application_EndRequest to add HttpOnly.

I can load up the client's site using Firefox/Firebug and see the cookies. Those manually created are getting HttpOnly set, but the ASPSESSIONID cookie is not HttpOnly.

Is anyone aware of how to cause the ASPSESSIONID cookie to be HttpOnly given this setup scenario?

Answer 1

Request.ServerVariables("HTTP_COOKIE") will get the current cookie value, which you can then respond with the updated cookie, adding HttpOnly but only issue is if you are trying to pass a security scan, they often don't take the updated value for the cookie, only the initial.

Answer 2

The ASP Session Cookie can not be modified by Classic ASP code, so for IIS 6 you would need to have ISAPI module rewrite the cookies.

Setting HTTPONLY for Classic Asp Session Cookie

http://msdn.microsoft.com/en-us/library/ms972826

Client side JavaScript workaround

http://ko-lwin.blogspot.com/2010/12/how-to-secure-classic-asp-session-id.html