How exactly do you configure httpOnly Cookies in ASP Classic?

Eduardo Molteni picture Eduardo Molteni · Sep 10, 2008 · Viewed 31.4k times · Source

I'm looking to implement httpOnly in my legacy ASP classic sites. Anyone knows how to do it?

Answer

Brian Clark picture Brian Clark · Feb 11, 2013

If you run your Classic ASP web pages on IIS 7/7.5, then you can use the IIS URL Rewrite module to write a rule to make your cookies HTTPOnly.

Paste the following into the section of your web.config:

<rewrite>
    <outboundRules>
        <rule name="Add HttpOnly" preCondition="No HttpOnly">
            <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
            <action type="Rewrite" value="{R:0}; HttpOnly" />
            <conditions>
            </conditions>
        </rule>
        <preConditions>
            <preCondition name="No HttpOnly">
                <add input="{RESPONSE_Set_Cookie}" pattern="." />
                <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
            </preCondition>
        </preConditions>
    </outboundRules>
</rewrite>

See here for the details: http://forums.iis.net/t/1168473.aspx/1/10

For background, HTTPOnly cookies are required for PCI compliance reasons. The PCI standards folks (for credit card security) make you have HTTPOnly on your sessionID cookies at the very least in order to help prevent XSS attacks.

Also, at the current time (2-11-2013), all major browser support the HTTPOnly restriction on cookies. This includes current versions of IE, Firefox, Chrome and Safari.

See here for more info on how this works and support by various browser versions: https://www.owasp.org/index.php/HTTPOnly