为经典Asp会话Cookie设置HTTPONLY
有没有人确切知道如何在经典ASP会话cookie上设置HTTPONLY?
这是在漏洞扫描中被标记的最后一件事,需要尽快修复,所以感谢任何帮助。
~~~关于我的问题的更多信息~~~
有人可以帮我解决这个问题吗?
我需要知道如何在默认情况下从ASP& amp;创建的ASPSESSION cookie上设置HTTPONLY。 IIS。
这是服务器为所有asp页面自动创建的cookie。
如果需要,我可以在整个网站的所有cookie上设置HTTPONLY。
任何有关如何做到这一点的帮助都将受到大力赞赏。
由于
由于 埃利奥特
7 个答案:
答案 0 :(得分:11)
Microsoft包含一个使用ISAPI筛选器到所有出站Cookie的示例:http://msdn.microsoft.com/en-us/library/ms972826
可以使用或URL重写http://forums.iis.net/p/1168473/1946312.aspx
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
答案 1 :(得分:3)
如果你有IIS7 +,你需要确保安装了URL Rewrite模块。您可以使用Web Platform Installer进行安装。可以在网站的功能视图中找到Web平台安装程序。您需要以管理员身份运行IIS管理器。
在您网站的功能视图中单击Web平台安装程序:
确保已安装URL重写服务器产品。如果不是,请安装它。
安装了网址重写服务器产品后,您可以使用网站上的网址重写功能添加规则,为您的会话ID Cookie添加HttpOnly。
如果不存在,您应该看到为ASP站点创建的web.config文件。它将具有以下内容:
如果你在Firefox中使用Firebug来检查你的cookie,你现在应该看到HttpOnly标志集:
答案 2 :(得分:1)
Response.AddHeader "Set-Cookie", "CookieName=CookieValue; path=/; HttpOnly"
答案 3 :(得分:1)
答案 4 :(得分:0)
可以使用URLrewrite在web.config中将ASP会话cookie设置为HttpOnly:
<rewrite>
<outboundRules>
<rule name="Secure ASP session cookie">
<match serverVariable="RESPONSE_Set_Cookie" pattern="ASPSESSIONID(.*)" negate="false" />
<!--<action type="Rewrite" value="ASPSESSIONID{R:1}; HttpOnly; Secure" />-->
<action type="Rewrite" value="ASPSESSIONID{R:1}; HttpOnly" />
</rule>
</outboundRules>
</rewrite>
也可以使用URLrewrite将所有cookie设为HttpOnly / Secure,但是有时您需要cookie才能在JavaScript中读取,因此这是我前一段时间写的一些函数和子例程,用于创建可以启用或禁用常规cookie的功能。禁用“ HttpOnly”和“安全”:
' *********************************************************************************************************
' Set a cookie
' *********************************************************************************************************
sub set_cookie(cookie_name,cookie_value,cookie_path,http_only,secure,expire)
Dim cookie_header, split_expire, expire_value
' Set the cookie name and value. The value must be URL encoded.
cookie_header = cookie_name & "=" & server.URLEncode(cookie_value) & "; "
' To set cookies that can be accessed by sub domains, you need to specify the domain as
' ".mydomain.com". If no domain is specified then the cookie will be set as "host only",
' and only be accessible to the domain it was set on. Un-comment to disable host only:
'cookie_header = cookie_header & "Domain=.mydomain.com; "
' Check the expire value for a specific expiry length (e.g; "1 year")
' For session cookies, the expiry should be set to null.
if NOT isDate(expire) AND NOT isNull(expire) then
' Remove any double spaces and trim the value.
expire = replace(expire," "," ")
expire = trim(expire)
' Split on space to separate the expiry value from the expiry unit.
split_expire = split(expire," ")
' A uBound value of 1 is expected
if uBound(split_expire) = 1 then
expire_value = split_expire(0)
if NOT isNumeric(expire_value) then exit sub
expire_value = int(expire_value)
select case lCase(split_expire(1))
case "minute","minutes"
expire = DateAdd("n",expire_value,Now())
case "hour","hours"
expire = DateAdd("h",expire_value,Now())
case "day","days"
expire = DateAdd("d",expire_value,Now())
case "week","weeks"
expire = DateAdd("ww",expire_value,Now())
case "month","months"
expire = DateAdd("m",expire_value,Now())
case "year","years"
expire = DateAdd("yyyy",expire_value,Now())
case else
' unknown expiry unit, exit sub
exit sub
end select
else
' Unexpected uBound. This means no space was included when specifying the expiry length
' or multiple spaces were included.
exit sub
end if
end if
' Set the expiry date if there is one. If the expiry value is null then no expiry date will be set and
' the cookie will expire when the session does (a session cookie).
' The expiry date can only be UTC or GMT. Be sure to check your servers timezone and adjust accordingly.
if isDate(expire) then
' The cookie date needs to be formatted as:
' WeekDayName(shortened), day-monthName(shortened)-year timestamp(00:00:00) GMT/UTC
expire = cDate(expire)
cookie_header = cookie_header & "expires=" &_
weekday_name(WeekDay(expire),true) & ", " &_
ZeroPad(Day(expire)) & "-" &_
month_name(Month(expire),true) & "-" &_
year(expire) & " " &_
timeFromDate(expire) & " UTC; "
end if
cookie_header = cookie_header & "path=" & cookie_path & "; "
' HttpOnly means cookies can only be read over a HTTP (or HTTPS) connection.
' This prevents JavaScript from being able to read any cookies set as HttpOnly.
' HttpOnly should always be used unless you're setting a cookie that needs to
' be accessed by JavaScript (a CSRF token cookie for example).
if http_only then
cookie_header = cookie_header & "HttpOnly; "
end if
' A "secure" cookie means the cookie can only be accessed over a HTTPS connection.
' If we try to create a secure cookie over a none HTTPS connection it will be
' rejected by most browsers. So check the HTTPS protocol is ON before setting a
' cookie as secure. This check is particularly useful when running on a localhost,
' most localhosts don't use HTTPS, so trying to set a Secure cookie won't work.
if secure AND uCase(request.ServerVariables("HTTPS")) = "ON" then
cookie_header = cookie_header & "Secure; "
end if
' Add the header and remove the trailing ";"
response.AddHeader "Set-Cookie",left(cookie_header,len(cookie_header)-2)
end sub
' *********************************************************************************************************
' Delete a cookie
' *********************************************************************************************************
sub delete_cookie(cookie_name)
' There is no header for deleting cookies. Instead, cookies are modified to a date that
' has already expired and the users browser will delete the expired cookie for us.
response.AddHeader "Set-Cookie",cookie_name & "=; " &_
"expires=Thu, 01-Jan-1970 00:00:00 UTC; path=/"
end sub
' *********************************************************************************************************
' When the LCID is set to 1033 (us) vbLongTime formats in 12hr with AM / PM, this is invalid for a cookie
' timestamp. Instead, we use vbShortTime which returns the hour and minute as 24hr with any LCID, then use
' vbLongTime to get the seconds, and join the two together.
' *********************************************************************************************************
function timeFromDate(ByVal theDate)
Dim ts_secs : ts_secs = split(FormatDateTime(theDate,vbLongTime),":")
if uBound(ts_secs) = 2 then
timeFromDate = FormatDateTime(theDate,vbShortTime) & ":" & left(ts_secs(2),2)
else
timeFromDate = "00:00:00"
end if
end function
' *********************************************************************************************************
' WeekDayName and MonthName will return a value in the native language based on the LCID.
' These are custom functions used to return the weekday and month names in english,
' reguardless of the LCID
' *********************************************************************************************************
function weekday_name(weekday_val, shorten)
select case weekday_val
case 1
if shorten then weekday_name = "Sun" else weekday_name = "Sunday"
case 2
if shorten then weekday_name = "Mon" else weekday_name = "Monday"
case 3
if shorten then weekday_name = "Tue" else weekday_name = "Tuesday"
case 4
if shorten then weekday_name = "Wed" else weekday_name = "Wednesday"
case 5
if shorten then weekday_name = "Thu" else weekday_name = "Thursday"
case 6
if shorten then weekday_name = "Fri" else weekday_name = "Friday"
case 7
if shorten then weekday_name = "Sat" else weekday_name = "Saturday"
end select
end function
function month_name(month_val, shorten)
select case month_val
case 1
if shorten then month_name = "Jan" else month_name = "January"
case 2
if shorten then month_name = "Feb" else month_name = "February"
case 3
if shorten then month_name = "Mar" else month_name = "March"
case 4
if shorten then month_name = "Apr" else month_name = "April"
case 5
month_name = "May"
case 6
if shorten then month_name = "Jun" else month_name = "June"
case 7
if shorten then month_name = "Jul" else month_name = "July"
case 8
if shorten then month_name = "Aug" else month_name = "August"
case 9
if shorten then month_name = "Sep" else month_name = "September"
case 10
if shorten then month_name = "Oct" else month_name = "October"
case 11
if shorten then month_name = "Nov" else month_name = "November"
case 12
if shorten then month_name = "Dec" else month_name = "December"
end select
end function
' *********************************************************************************************************
' Prefix a 1 digit number with a 0. Used in date formatting
' *********************************************************************************************************
function zeroPad(theNum)
if len(theNum) = 1 then
zeroPad = cStr("0" & theNum)
else
zeroPad = theNum
end if
end function
示例:
' **************************************************************************************************************
' set_cookie(COOKIE NAME, COOKIE VALUE, COOKIE PATH, HTTPONLY (BOOLEAN), SECURE (BOOLEAN), EXPIRY DATE / LENGTH)
' **************************************************************************************************************
' Expire on a specific date:
call set_cookie("cookie_name1","cookie value","/",true,true,"15 Jan 2019 12:12:12")
call set_cookie("cookie_name2","cookie value","/",true,true,"15 January 2019 12:12:12")
call set_cookie("cookie_name3","cookie value","/",true,true,"Jan 15 2019 12:12:12")
call set_cookie("cookie_name4","cookie value","/",true,true,"January 15 2019 12:12:12")
call set_cookie("cookie_name5","cookie value","/",true,true,"Jan 15 2019")
call set_cookie("cookie_name6","cookie value","/",true,true,"January 15 2019")
' Expire when the session ends (a sesson cookie):
call set_cookie("cookie_name7","cookie value","/",true,true,null)
' Specify an expiry length:
call set_cookie("cookie_name8","cookie value","/",true,true,"20 minutes")
call set_cookie("cookie_name9","cookie value","/",true,true,"1 hour")
call set_cookie("cookie_name10","cookie value","/",true,true,"10 days")
call set_cookie("cookie_name11","cookie value","/",true,true,"3 weeks")
call set_cookie("cookie_name12","cookie value","/",true,true,"1 year")
' Delete a cookie:
call delete_cookie("cookie_name")
' This would also work for deleting a cookie:
call set_cookie("cookie_name","","/",false,false,"-1 year")
答案 5 :(得分:0)
旧但很好,请将其添加到全局包含的asp中:
Dim AspSessionCookie
AspSessionCookie = Request.ServerVariables("HTTP_COOKIE")
If instr(AspSessionCookie,"ASPSESSIONID") > 0 Then
AspSessionCookie = "ASPSESSIONID" & Split(AspSessionCookie,"ASPSESSIONID")(1)
If InStr(1,AspSessionCookie,";") then
AspSessionCookie = Split(AspSessionCookie,";")(0)
End If
Response.AddHeader "Set-Cookie", AspSessionCookie & ";HttpOnly"
End If
答案 6 :(得分:-1)
This page有很多与您的问题相关的信息。
.NET 1.1不添加HttpOnly,因为它尚未发明。
如果您的应用程序将在.NET 2.0下运行(我将几个经典ASP站点移动到2.0几乎不变)HttpOnly默认设置。
如果我读得对,你可以获得会话cookie并附加; HttpOnly;。他举了一个例子:
String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
最后,他建议:
如果代码更改不可行,可以使用Web应用程序防火墙将HttpOnly添加到会话cookie
编辑添加:给那些认为迁移到.NET(可以容纳大多数经典ASP代码不变)的人,为了获得如此小的功能而变得过于激烈,我对ISAPI过滤器的体验是他们也可能是一个主要的痛苦,在一些常见的情况下(共享托管)你根本不能使用它们。
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?