Setting the ASP session cookie as HttpOnly can be done in web.config using URLrewrite:
<rewrite> <outboundRules> <rule name="Secure ASP session cookie"> <match serverVariable="RESPONSE_Set_Cookie" pattern="ASPSESSIONID(.*)" negate="false" /> <!--<action type="Rewrite" value="ASPSESSIONID{R:1}; HttpOnly; Secure" />--> <action type="Rewrite" value="ASPSESSIONID{R:1}; HttpOnly" /> </rule> </outboundRules> </rewrite>
It's also possible to use URLrewrite to make all cookies HttpOnly / Secure, but sometimes you need cookies to be readable in JavaScript, so here's a collection of functions and sub routines I wrote a while ago for creating regular cookies that can enable or disable "HttpOnly" and "Secure":
' ********************************************************************************************************* ' Set a cookie ' ********************************************************************************************************* sub set_cookie(cookie_name,cookie_value,cookie_path,http_only,secure,expire) Dim cookie_header, split_expire, expire_value ' Set the cookie name and value. The value must be URL encoded. cookie_header = cookie_name & "=" & server.URLEncode(cookie_value) & "; " ' To set cookies that can be accessed by sub domains, you need to specify the domain as ' ".mydomain.com". If no domain is specified then the cookie will be set as "host only", ' and only be accessible to the domain it was set on. Un-comment to disable host only: 'cookie_header = cookie_header & "Domain=.mydomain.com; " ' Check the expire value for a specific expiry length (e.g; "1 year") ' For session cookies, the expiry should be set to null. if NOT isDate(expire) AND NOT isNull(expire) then ' Remove any double spaces and trim the value. expire = replace(expire," "," ") expire = trim(expire) ' Split on space to separate the expiry value from the expiry unit. split_expire = split(expire," ") ' A uBound value of 1 is expected if uBound(split_expire) = 1 then expire_value = split_expire(0) if NOT isNumeric(expire_value) then exit sub expire_value = int(expire_value) select case lCase(split_expire(1)) case "minute","minutes" expire = DateAdd("n",expire_value,Now()) case "hour","hours" expire = DateAdd("h",expire_value,Now()) case "day","days" expire = DateAdd("d",expire_value,Now()) case "week","weeks" expire = DateAdd("ww",expire_value,Now()) case "month","months" expire = DateAdd("m",expire_value,Now()) case "year","years" expire = DateAdd("yyyy",expire_value,Now()) case else ' unknown expiry unit, exit sub exit sub end select else ' Unexpected uBound. This means no space was included when specifying the expiry length ' or multiple spaces were included. exit sub end if end if ' Set the expiry date if there is one. If the expiry value is null then no expiry date will be set and ' the cookie will expire when the session does (a session cookie). ' The expiry date can only be UTC or GMT. Be sure to check your servers timezone and adjust accordingly. if isDate(expire) then ' The cookie date needs to be formatted as: ' WeekDayName(shortened), day-monthName(shortened)-year timestamp(00:00:00) GMT/UTC expire = cDate(expire) cookie_header = cookie_header & "expires=" &_ weekday_name(WeekDay(expire),true) & ", " &_ ZeroPad(Day(expire)) & "-" &_ month_name(Month(expire),true) & "-" &_ year(expire) & " " &_ timeFromDate(expire) & " UTC; " end if cookie_header = cookie_header & "path=" & cookie_path & "; " ' HttpOnly means cookies can only be read over a HTTP (or HTTPS) connection. ' This prevents JavaScript from being able to read any cookies set as HttpOnly. ' HttpOnly should always be used unless you're setting a cookie that needs to ' be accessed by JavaScript (a CSRF token cookie for example). if http_only then cookie_header = cookie_header & "HttpOnly; " end if ' A "secure" cookie means the cookie can only be accessed over a HTTPS connection. ' If we try to create a secure cookie over a none HTTPS connection it will be ' rejected by most browsers. So check the HTTPS protocol is ON before setting a ' cookie as secure. This check is particularly useful when running on a localhost, ' most localhosts don't use HTTPS, so trying to set a Secure cookie won't work. if secure AND uCase(request.ServerVariables("HTTPS")) = "ON" then cookie_header = cookie_header & "Secure; " end if ' Add the header and remove the trailing ";" response.AddHeader "Set-Cookie",left(cookie_header,len(cookie_header)-2) end sub ' ********************************************************************************************************* ' Delete a cookie ' ********************************************************************************************************* sub delete_cookie(cookie_name) ' There is no header for deleting cookies. Instead, cookies are modified to a date that ' has already expired and the users browser will delete the expired cookie for us. response.AddHeader "Set-Cookie",cookie_name & "=; " &_ "expires=Thu, 01-Jan-1970 00:00:00 UTC; path=/" end sub ' ********************************************************************************************************* ' When the LCID is set to 1033 (us) vbLongTime formats in 12hr with AM / PM, this is invalid for a cookie ' timestamp. Instead, we use vbShortTime which returns the hour and minute as 24hr with any LCID, then use ' vbLongTime to get the seconds, and join the two together. ' ********************************************************************************************************* function timeFromDate(ByVal theDate) Dim ts_secs : ts_secs = split(FormatDateTime(theDate,vbLongTime),":") if uBound(ts_secs) = 2 then timeFromDate = FormatDateTime(theDate,vbShortTime) & ":" & left(ts_secs(2),2) else timeFromDate = "00:00:00" end if end function ' ********************************************************************************************************* ' WeekDayName and MonthName will return a value in the native language based on the LCID. ' These are custom functions used to return the weekday and month names in english, ' reguardless of the LCID ' ********************************************************************************************************* function weekday_name(weekday_val, shorten) select case weekday_val case 1 if shorten then weekday_name = "Sun" else weekday_name = "Sunday" case 2 if shorten then weekday_name = "Mon" else weekday_name = "Monday" case 3 if shorten then weekday_name = "Tue" else weekday_name = "Tuesday" case 4 if shorten then weekday_name = "Wed" else weekday_name = "Wednesday" case 5 if shorten then weekday_name = "Thu" else weekday_name = "Thursday" case 6 if shorten then weekday_name = "Fri" else weekday_name = "Friday" case 7 if shorten then weekday_name = "Sat" else weekday_name = "Saturday" end select end function function month_name(month_val, shorten) select case month_val case 1 if shorten then month_name = "Jan" else month_name = "January" case 2 if shorten then month_name = "Feb" else month_name = "February" case 3 if shorten then month_name = "Mar" else month_name = "March" case 4 if shorten then month_name = "Apr" else month_name = "April" case 5 month_name = "May" case 6 if shorten then month_name = "Jun" else month_name = "June" case 7 if shorten then month_name = "Jul" else month_name = "July" case 8 if shorten then month_name = "Aug" else month_name = "August" case 9 if shorten then month_name = "Sep" else month_name = "September" case 10 if shorten then month_name = "Oct" else month_name = "October" case 11 if shorten then month_name = "Nov" else month_name = "November" case 12 if shorten then month_name = "Dec" else month_name = "December" end select end function ' ********************************************************************************************************* ' Prefix a 1 digit number with a 0. Used in date formatting ' ********************************************************************************************************* function zeroPad(theNum) if len(theNum) = 1 then zeroPad = cStr("0" & theNum) else zeroPad = theNum end if end function
Examples:
' ************************************************************************************************************** ' set_cookie(COOKIE NAME, COOKIE VALUE, COOKIE PATH, HTTPONLY (BOOLEAN), SECURE (BOOLEAN), EXPIRY DATE / LENGTH) ' ************************************************************************************************************** ' Expire on a specific date: call set_cookie("cookie_name1","cookie value","/",true,true,"15 Jan 2019 12:12:12") call set_cookie("cookie_name2","cookie value","/",true,true,"15 January 2019 12:12:12") call set_cookie("cookie_name3","cookie value","/",true,true,"Jan 15 2019 12:12:12") call set_cookie("cookie_name4","cookie value","/",true,true,"January 15 2019 12:12:12") call set_cookie("cookie_name5","cookie value","/",true,true,"Jan 15 2019") call set_cookie("cookie_name6","cookie value","/",true,true,"January 15 2019") ' Expire when the session ends (a sesson cookie): call set_cookie("cookie_name7","cookie value","/",true,true,null) ' Specify an expiry length: call set_cookie("cookie_name8","cookie value","/",true,true,"20 minutes") call set_cookie("cookie_name9","cookie value","/",true,true,"1 hour") call set_cookie("cookie_name10","cookie value","/",true,true,"10 days") call set_cookie("cookie_name11","cookie value","/",true,true,"3 weeks") call set_cookie("cookie_name12","cookie value","/",true,true,"1 year") ' Delete a cookie: call delete_cookie("cookie_name") ' This would also work for deleting a cookie: call set_cookie("cookie_name","","/",false,false,"-1 year")
