[ACCEPTED]-How exactly do you configure httpOnly Cookies in ASP Classic?-httponly
If you run your Classic ASP web pages on 16 IIS 7/7.5, then you can use the IIS URL 15 Rewrite module to write a rule to make your 14 cookies HTTPOnly.
Paste the following into 13 the section of your web.config:
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
See here 12 for the details: http://forums.iis.net/t/1168473.aspx/1/10
For background, HTTPOnly 11 cookies are required for PCI compliance 10 reasons. The PCI standards folks (for credit 9 card security) make you have HTTPOnly on 8 your sessionID cookies at the very least 7 in order to help prevent XSS attacks.
Also, at 6 the current time (2-11-2013), all major 5 browser support the HTTPOnly restriction 4 on cookies. This includes current versions 3 of IE, Firefox, Chrome and Safari.
See here 2 for more info on how this works and support 1 by various browser versions: https://www.owasp.org/index.php/HTTPOnly
Response.AddHeader "Set-Cookie", "mycookie=yo; HttpOnly"
Other options like expires, path and secure can be also added 3 in this way. I don't know of any magical 2 way to change your whole cookies collection, but 1 I could be wrong about that.
You need to append ";HttpOnly" to the Response 1 cookies collection.
Response.AddHeader "Set-Cookie", ""&CStr(Request.ServerVariables("HTTP_COOKIE"))&";path=/;HttpOnly"&""
0
More Related questions
We use cookies to improve the performance of the site. By staying on our site, you agree to the terms of use of cookies.