设置的HttpOnly =在ASP 1.1的会话cookie真 [英] Setting HttpOnly=true on ASP 1.1 Session ID cookie
问题描述
我有谁经营他的IIS 6.0在经典的ASP网站的客户端。该网站在ASP.NET配置选项卡针对ASP.NET 2.0。他的网站最近的PCI扫描未能他的,他ASPSESSIONID饼干的仅Http漏洞。
I have a client who runs his Classic ASP site under IIS 6.0. The web site is targeted for ASP.NET 2.0 in the ASP.NET configuration tab. A recent PCI Scan of his site is failing him with an HttpOnly vulnerability on his ASPSESSIONID cookie.
我已经安装了一个ISAPI的.dll设置成功后仅Http上的所有手动创建的Cookie,但ASPSESSIONID饼干不受此出于某种原因影响。
I have installed an ISAPI .dll that successfully sets HttpOnly on all manually created cookies, but ASPSESSIONID cookie is not effected by this for some reason.
我已经设置的web.config具有以下配置:
I have set web.config with the following configuration:
<system.web>
<httpCookies httpOnlyCookies="true" />
</system.web>
这个配置似乎有任何作用,任何东西。我怀疑,尽管该网站是针对ASP.NET 2.0中,毕竟是一个传统的ASP应用程序,仅Http是不支持的。
This configuration seems to have no effect whatsoever, on anything. I suspect, even though the web site is targeted for ASP.NET 2.0 it is afterall a Classic ASP application and HttpOnly wasn't supported at all.
客户端的网站使用的Global.asa 而不是的Global.asax 的。这排除了使用Application_EndRequest添加的HttpOnly。
The client's web site uses a global.asa instead of global.asax. This rules out using Application_EndRequest to add HttpOnly.
我可以加载使用Firefox / Firebug的客户端的网站,看到了饼干。这些手工创建越来越仅Http设置,但ASPSESSIONID cookie是不是仅Http
I can load up the client's site using Firefox/Firebug and see the cookies. Those manually created are getting HttpOnly set, but the ASPSESSIONID cookie is not HttpOnly.
是任何人都知道如何使ASPSESSIONID cookie被给定的HttpOnly此设置的场景?
Is anyone aware of how to cause the ASPSESSIONID cookie to be HttpOnly given this setup scenario?
推荐答案
在ASP会话Cookie不能用传统的ASP code修改,所以对于IIS 6,你需要有ISAPI模块重写的cookie。
The ASP Session Cookie can not be modified by Classic ASP code, so for IIS 6 you would need to have ISAPI module rewrite the cookies.
<一个href=\"http://stackoverflow.com/questions/2990686/setting-httponly-for-classic-asp-session-cookie\">Setting仅Http传统的ASP会话Cookie
http://msdn.microsoft.com/en-us/library/ms972826
客户端JavaScript的解决方法
Client side JavaScript workaround
的http:// ko-lwin.blogspot.com/2010/12/how-to-secure-classic-asp-session-id.html
这篇关于设置的HttpOnly =在ASP 1.1的会话cookie真的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
