I have a client who runs his Classic ASP site under IIS 6.0. The web site is targeted for ASP.NET 2.0 in the ASP.NET configuration tab. A recent PCI Scan of his site is failing him with an HttpOnly vulnerability on his ASPSESSIONID cookie.
I have installed an ISAPI .dll that successfully sets HttpOnly on all manually created cookies, but ASPSESSIONID cookie is not effected by this for some reason.
I have set web.config with the following configuration:
<system.web>
<httpCookies httpOnlyCookies="true" />
</system.web>
This configuration seems to have no effect whatsoever, on anything. I suspect, even though the web site is targeted for ASP.NET 2.0 it is afterall a Classic ASP application and HttpOnly wasn't supported at all.
The client's web site uses a global.asa instead of global.asax. This rules out using Application_EndRequest to add HttpOnly.
I can load up the client's site using Firefox/Firebug and see the cookies. Those manually created are getting HttpOnly set, but the ASPSESSIONID cookie is not HttpOnly.
Is anyone aware of how to cause the ASPSESSIONID cookie to be HttpOnly given this setup scenario?
Best Answer
The ASP Session Cookie can not be modified by Classic ASP code, so for IIS 6 you would need to have ISAPI module rewrite the cookies.
Setting HTTPONLY for Classic Asp Session Cookie
http://msdn.microsoft.com/en-us/library/ms972826
Client side JavaScript workaround
http://ko-lwin.blogspot.com/2010/12/how-to-secure-classic-asp-session-id.html