[ACCEPTED]-How exactly do you configure httpOnly Cookies in ASP Classic?-httponly

Accepted answer
Score: 18

If you run your Classic ASP web pages on 16 IIS 7/7.5, then you can use the IIS URL 15 Rewrite module to write a rule to make your 14 cookies HTTPOnly.

Paste the following into 13 the section of your web.config:

        <rule name="Add HttpOnly" preCondition="No HttpOnly">
            <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
            <action type="Rewrite" value="{R:0}; HttpOnly" />
            <preCondition name="No HttpOnly">
                <add input="{RESPONSE_Set_Cookie}" pattern="." />
                <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />

See here 12 for the details: http://forums.iis.net/t/1168473.aspx/1/10

For background, HTTPOnly 11 cookies are required for PCI compliance 10 reasons. The PCI standards folks (for credit 9 card security) make you have HTTPOnly on 8 your sessionID cookies at the very least 7 in order to help prevent XSS attacks.

Also, at 6 the current time (2-11-2013), all major 5 browser support the HTTPOnly restriction 4 on cookies. This includes current versions 3 of IE, Firefox, Chrome and Safari.

See here 2 for more info on how this works and support 1 by various browser versions: https://www.owasp.org/index.php/HTTPOnly

Score: 13
Response.AddHeader "Set-Cookie", "mycookie=yo; HttpOnly"

Other options like expires, path and secure can be also added 3 in this way. I don't know of any magical 2 way to change your whole cookies collection, but 1 I could be wrong about that.

Score: 1

You need to append ";HttpOnly" to the Response 1 cookies collection.

Score: 0
Response.AddHeader "Set-Cookie", ""&CStr(Request.ServerVariables("HTTP_COOKIE"))&";path=/;HttpOnly"&""


More Related questions