为经典 Asp 会话 Cookie 设置 HTTPONLY [英] Setting HTTPONLY for Classic Asp Session Cookie

问题描述

有人知道如何在经典的 ASP 会话 cookie 上设置 HTTPONLY 吗?

Does anyone know exactly how to set HTTPONLY on classic ASP session cookies?

这是在漏洞扫描中被标记的最后一件事，需要尽快修复，因此感谢您的帮助.

This is the final thing that's been flagged in a vulnerability scan and needs fixing ASAP, so any help is appreciated.

~~~关于我的问题的更多信息~~~

~~~A LITTLE MORE INFORMATION ON MY PROBLEM~~~

谁能帮我解决这个问题?

我需要知道如何在默认从 ASP & 创建的 ASPSESSION cookie 上设置 HTTPONLYIIS.

I need to know how to set HTTPONLY on the ASPSESSION cookie created by default from ASP & IIS.

这是服务器自动为所有asp页面创建的cookie.

This is the cookie automatically created by the server for all asp pages.

如果需要，我可以在整个站点的所有 cookie 上设置 HTTPONLY.

If needed i can set HTTPONLY on all cookie across the site.

任何有关如何做到这一点的帮助将不胜感激.

Any help on how to do this would be massively appreciated.

谢谢

谢谢艾略特

推荐答案

Microsoft 包含一个使用 ISAPI 过滤器过滤所有出站 cookie 的示例:http://msdn.microsoft.com/en-us/library/ms972826

Microsoft includes an example using an ISAPI filter to all outbound cookies: http://msdn.microsoft.com/en-us/library/ms972826

或者可以使用 URL 重写 http://forums.iis.net/p/1168473/1946312.aspx

or URL rewriting could be used http://forums.iis.net/p/1168473/1946312.aspx

<rewrite>
        <outboundRules>
            <rule name="Add HttpOnly" preCondition="No HttpOnly">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
                <action type="Rewrite" value="{R:0}; HttpOnly" />
                <conditions>
                </conditions>
            </rule>
            <preConditions>
                <preCondition name="No HttpOnly">
                    <add input="{RESPONSE_Set_Cookie}" pattern="." />
                    <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
                </preCondition>
            </preConditions>
        </outboundRules>
    </rewrite>

这篇关于为经典 Asp 会话 Cookie 设置 HTTPONLY的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！