Does anyone know exactly how to set HTTPONLY on classic ASP session cookies?
有人知道如何在经典的ASP会话cookie中设置HTTPONLY吗?
This is the final thing that's been flagged in a vulnerability scan and needs fixing ASAP, so any help is appreciated.
这是在漏洞扫描中被标记的最后一件事,需要尽快修复,所以需要任何帮助。
~~~A LITTLE MORE INFORMATION ON MY PROBLEM~~~
关于我的问题,还有一些资料。
Can anyone please help me with this?
有人能帮我吗?
I need to know how to set HTTPONLY on the ASPSESSION cookie created by default from ASP & IIS.
我需要知道如何设置HTTPONLY在ASP和IIS默认创建的ASPSESSION cookie中。
This is the cookie automatically created by the server for all asp pages.
这是服务器为所有asp页面自动创建的cookie。
If needed i can set HTTPONLY on all cookie across the site.
如果需要,我可以在网站上的所有cookie上设置HTTPONLY。
Any help on how to do this would be massively appreciated.
对如何做到这一点的任何帮助都将得到极大的赞赏。
Thanks
谢谢
Thanks Elliott
由于艾略特
5 个解决方案
#1
10
Microsoft includes an example using an ISAPI filter to all outbound cookies: http://msdn.microsoft.com/en-us/library/ms972826
微软包括一个使用ISAPI过滤器的所有出站cookie的例子:http://msdn.microsoft.com/en-us/library/ms972826。
or URL rewriting could be used http://forums.iis.net/p/1168473/1946312.aspx
或者URL重写可以使用http://forums.iis.net/p/1168473/1946312.aspx。
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
#2
2
Response.AddHeader "Set-Cookie", "CookieName=CookieValue; path=/; HttpOnly"
Source: http://www.asp101.com/tips/index.asp?id=160
来源:http://www.asp101.com/tips/index.asp?id=160
#3
2
If you have IIS7 + you need to make sure the URL Rewrite module is installed. You can install it with the Web Platform Installer. The Web Platform Installer can be found in the features view for your website. You need to run IIS Manager as administrator.
如果您有IIS7 +,您需要确保已经安装了URL重写模块。您可以使用Web平台安装程序安装它。Web平台安装程序可以在您的网站的功能视图中找到。您需要运行IIS管理器作为管理员。
Click on the Web Platform Installer in the features view for your website:
在你的网站的功能视图中点击Web平台安装程序:
Maker sure the URL Rewrite Server Product is installed. If it isn't, then install it.
确定URL重写服务器产品已安装。如果不是,那么安装它。
With the URL Rewrite Server Product installed, you can use the URL Rewrite Feature on your website to add a rule to add HttpOnly for your Session ID cookies.
在安装了URL重写服务器产品之后,您可以在您的网站上使用URL重写功能添加一条规则,以便为会话ID cookie添加HttpOnly。
You should see, if it doesn't already exist, a web.config file created for your ASP site. it will have the following contents:
你应该看看,如果它还不存在的话,网络。为您的ASP站点创建的配置文件。它将有以下内容:
If you use Firebug in Firefox to inspect your cookies, you should now see the HttpOnly flag set:
如果您在Firefox中使用Firebug检查您的cookie,您现在应该看到HttpOnly标志集:
#4
1
I compiled the Microsoft's ISAPI filter example. This solved my problem.
我编译了微软的ISAPI过滤器示例。这解决了我的问题。
The ISAPI DLL is here
ISAPI DLL在这里。
Feel free to download.
随时下载。
#5
0
This page has lots of information that's relevant to your problem.
这个页面有很多与你的问题相关的信息。
.NET 1.1 doesn't add HttpOnly
because it hadn't been invented yet.
net 1.1没有添加HttpOnly,因为它还没有被发明。
If your app will run under .NET 2.0 (I moved several Classic ASP sites to 2.0 virtually unchanged) HttpOnly is set by default.
如果你的应用程序在。net 2.0下运行(我将几个经典的ASP站点移动到2.0几乎没有变化),HttpOnly是默认设置的。
If I read him right, you can get the Session cookie and append ; HttpOnly;
to it. He gives a java example:
如果我读对了,你可以得到Session cookie和append;HttpOnly;到它。他举了一个java的例子:
String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
Lastly, he suggests:
最后,他建议:
if code changes are infeasible, web application firewalls can be used to add HttpOnly to session cookies
如果代码更改是不可行的,web应用程序防火墙可用于将HttpOnly添加到会话cookie中。
Edited to add: to those who think migrating to .NET (which can accommodate most Classic ASP code unchanged) is too drastic a change to get such a small feature, my experience of ISAPI filters is that they, too, can be a major pain, and in some common situations (shared hosting) you can't use them at all.
编辑添加:那些认为迁移到。net(可容纳最经典ASP代码不变)太激烈的改变能得到这样一个小功能,我ISAPI筛选器是他们的经验,也可以是一个重大的痛苦,在一些常见情况下(共享主机)你不能使用它们。
#1
10
Microsoft includes an example using an ISAPI filter to all outbound cookies: http://msdn.microsoft.com/en-us/library/ms972826
微软包括一个使用ISAPI过滤器的所有出站cookie的例子:http://msdn.microsoft.com/en-us/library/ms972826。
or URL rewriting could be used http://forums.iis.net/p/1168473/1946312.aspx
或者URL重写可以使用http://forums.iis.net/p/1168473/1946312.aspx。
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
#2
2
Response.AddHeader "Set-Cookie", "CookieName=CookieValue; path=/; HttpOnly"
Source: http://www.asp101.com/tips/index.asp?id=160
来源:http://www.asp101.com/tips/index.asp?id=160
#3
2
If you have IIS7 + you need to make sure the URL Rewrite module is installed. You can install it with the Web Platform Installer. The Web Platform Installer can be found in the features view for your website. You need to run IIS Manager as administrator.
如果您有IIS7 +,您需要确保已经安装了URL重写模块。您可以使用Web平台安装程序安装它。Web平台安装程序可以在您的网站的功能视图中找到。您需要运行IIS管理器作为管理员。
Click on the Web Platform Installer in the features view for your website:
在你的网站的功能视图中点击Web平台安装程序:
Maker sure the URL Rewrite Server Product is installed. If it isn't, then install it.
确定URL重写服务器产品已安装。如果不是,那么安装它。
With the URL Rewrite Server Product installed, you can use the URL Rewrite Feature on your website to add a rule to add HttpOnly for your Session ID cookies.
在安装了URL重写服务器产品之后,您可以在您的网站上使用URL重写功能添加一条规则,以便为会话ID cookie添加HttpOnly。
You should see, if it doesn't already exist, a web.config file created for your ASP site. it will have the following contents:
你应该看看,如果它还不存在的话,网络。为您的ASP站点创建的配置文件。它将有以下内容:
If you use Firebug in Firefox to inspect your cookies, you should now see the HttpOnly flag set:
如果您在Firefox中使用Firebug检查您的cookie,您现在应该看到HttpOnly标志集:
#4
1
I compiled the Microsoft's ISAPI filter example. This solved my problem.
我编译了微软的ISAPI过滤器示例。这解决了我的问题。
The ISAPI DLL is here
ISAPI DLL在这里。
Feel free to download.
随时下载。
#5
0
This page has lots of information that's relevant to your problem.
这个页面有很多与你的问题相关的信息。
.NET 1.1 doesn't add HttpOnly
because it hadn't been invented yet.
net 1.1没有添加HttpOnly,因为它还没有被发明。
If your app will run under .NET 2.0 (I moved several Classic ASP sites to 2.0 virtually unchanged) HttpOnly is set by default.
如果你的应用程序在。net 2.0下运行(我将几个经典的ASP站点移动到2.0几乎没有变化),HttpOnly是默认设置的。
If I read him right, you can get the Session cookie and append ; HttpOnly;
to it. He gives a java example:
如果我读对了,你可以得到Session cookie和append;HttpOnly;到它。他举了一个java的例子:
String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
Lastly, he suggests:
最后,他建议:
if code changes are infeasible, web application firewalls can be used to add HttpOnly to session cookies
如果代码更改是不可行的,web应用程序防火墙可用于将HttpOnly添加到会话cookie中。
Edited to add: to those who think migrating to .NET (which can accommodate most Classic ASP code unchanged) is too drastic a change to get such a small feature, my experience of ISAPI filters is that they, too, can be a major pain, and in some common situations (shared hosting) you can't use them at all.
编辑添加:那些认为迁移到。net(可容纳最经典ASP代码不变)太激烈的改变能得到这样一个小功能,我ISAPI筛选器是他们的经验,也可以是一个重大的痛苦,在一些常见情况下(共享主机)你不能使用它们。