wake-up-neo.com

HTTPONLY für Classic Asp Session Cookie einstellen

Weiß jemand genau, wie man HTTPONLY für klassische Sitzungscookies ASP setzt?

Dies ist die letzte Sache, die in einem Schwachstellenscan markiert wurde, und muss so schnell wie möglich behoben werden, sodass jede Hilfe geschätzt wird.

~~~ EINIGE WEITERE INFORMATIONEN ZU MEINEM PROBLEM ~~~

Kann mir bitte jemand dabei helfen?

Ich muss wissen, wie HTTPONLY für das ASPSESSION-Cookie festgelegt wird, das standardmäßig aus ASP und IIS erstellt wird.

Dieses Cookie wird vom Server automatisch für alle ASP-Seiten erstellt.

Bei Bedarf kann ich HTTPONLY für alle Cookies auf der Site setzen.

Jede Hilfe, wie man dies macht, wäre enorm zu schätzen.

Vielen Dank

Vielen Dank. Elliott

29
E.Shafii

Microsoft enthält ein Beispiel für die Verwendung eines ISAPI-Filters für alle ausgehenden Cookies: http://msdn.Microsoft.com/en-us/library/ms972826

oder URL-Umschreiben könnte verwendet werden http://forums.iis.net/p/1168473/1946312.aspx

<rewrite>
        <outboundRules>
            <rule name="Add HttpOnly" preCondition="No HttpOnly">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
                <action type="Rewrite" value="{R:0}; HttpOnly" />
                <conditions>
                </conditions>
            </rule>
            <preConditions>
                <preCondition name="No HttpOnly">
                    <add input="{RESPONSE_Set_Cookie}" pattern="." />
                    <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
                </preCondition>
            </preConditions>
        </outboundRules>
    </rewrite>
11
sep15ms

Wenn Sie über IIS7 + verfügen, müssen Sie sicherstellen, dass das URL-Rewrite-Modul installiert ist. Sie können es mit dem Web Platform Installer installieren. Das Web Platform-Installationsprogramm finden Sie in der Funktionsansicht Ihrer Website. Sie müssen den IIS Manager als Administrator ausführen.

 Run IIS As Administratro

Klicken Sie in der Funktionsansicht Ihrer Website auf das Web Platform-Installationsprogramm:

 Web Platform Installer

Stellen Sie sicher, dass das URL-Rewrite-Serverprodukt installiert ist. Wenn nicht, installieren Sie es.

 Url Rewrite Server Product

Wenn das URL-Rewrite-Serverprodukt installiert ist, können Sie die URL-Rewrite-Funktion auf Ihrer Website verwenden, um eine Regel zum Hinzufügen von HttpOnly für Ihre Session-ID-Cookies hinzuzufügen.

 URL Rewrite Feature

 enter image description here

 Add HttpOnly Outbound Rule

Falls noch nicht vorhanden, sollte eine web.config -Datei angezeigt werden, die für Ihre ASP - Site erstellt wurde. es wird folgenden Inhalt haben:

 enter image description here

Wenn Sie Firebug in Firefox verwenden, um Ihre Cookies zu überprüfen, sollte jetzt das Flag HttpOnly gesetzt sein:

 enter image description here

3

Ich habe das ISAPI-Filterbeispiel von Microsoft kompiliert . Das hat mein Problem gelöst.

Die ISAPI DLL ist hier

Fühlen Sie sich frei zum Download.

1
Response.AddHeader "Set-Cookie", "CookieName=CookieValue; path=/; HttpOnly" 

Quelle: http://www.asp101.com/tips/index.asp?id=160

1
Martin Eve

Das Setzen des Sitzungscookies ASP als HttpOnly kann in web.config mit URLrewrite erfolgen: 

<rewrite>
    <outboundRules>
        <rule name="Secure ASP session cookie">
            <match serverVariable="RESPONSE_Set_Cookie" pattern="ASPSESSIONID(.*)" negate="false" />
            <!--<action type="Rewrite" value="ASPSESSIONID{R:1}; HttpOnly; Secure" />-->
            <action type="Rewrite" value="ASPSESSIONID{R:1}; HttpOnly" />
        </rule> 
    </outboundRules>
</rewrite>

Es ist auch möglich, URLrewrite zu verwenden, um alle Cookies HttpOnly/Secure zu erstellen, aber manchmal müssen Cookies in JavaScript lesbar sein. Daher haben wir hier eine Sammlung von Funktionen und Unterroutinen, die ich vor einiger Zeit geschrieben habe, um reguläre Cookies zu erstellen, mit denen "HttpOnly" aktiviert oder deaktiviert werden kann "und" Sicher ":

' *********************************************************************************************************
' Set a cookie
' *********************************************************************************************************

sub set_cookie(cookie_name,cookie_value,cookie_path,http_only,secure,expire)

    Dim cookie_header, split_expire, expire_value

    ' Set the cookie name and value. The value must be URL encoded.

    cookie_header = cookie_name & "=" & server.URLEncode(cookie_value) & "; "

    ' To set cookies that can be accessed by sub domains, you need to specify the domain as
    ' ".mydomain.com". If no domain is specified then the cookie will be set as "Host only",
    ' and only be accessible to the domain it was set on. Un-comment to disable Host only:

    'cookie_header = cookie_header & "Domain=.mydomain.com; "

    ' Check the expire value for a specific expiry length (e.g; "1 year")
    ' For session cookies, the expiry should be set to null.

    if NOT isDate(expire) AND NOT isNull(expire) then

        ' Remove any double spaces and trim the value.

        expire = replace(expire,"  "," ")
        expire = trim(expire)

        ' Split on space to separate the expiry value from the expiry unit.

        split_expire = split(expire," ")

        ' A uBound value of 1 is expected

        if uBound(split_expire) = 1 then

            expire_value = split_expire(0)
            if NOT isNumeric(expire_value) then exit sub
            expire_value = int(expire_value)

            select case lCase(split_expire(1))

                case "minute","minutes"
                    expire = DateAdd("n",expire_value,Now())
                case "hour","hours"
                    expire = DateAdd("h",expire_value,Now())
                case "day","days"
                    expire = DateAdd("d",expire_value,Now())
                case "week","weeks"
                    expire = DateAdd("ww",expire_value,Now())
                case "month","months"
                    expire = DateAdd("m",expire_value,Now())
                case "year","years"
                    expire = DateAdd("yyyy",expire_value,Now())
                case else
                    ' unknown expiry unit, exit sub
                    exit sub
            end select

        else

            ' Unexpected uBound. This means no space was included when specifying the expiry length
            ' or multiple spaces were included. 

            exit sub

        end if

    end if

    ' Set the expiry date if there is one. If the expiry value is null then no expiry date will be set and 
    ' the cookie will expire when the session does (a session cookie).

    ' The expiry date can only be UTC or GMT. Be sure to check your servers timezone and adjust accordingly.

    if isDate(expire) then

        ' The cookie date needs to be formatted as:
        ' WeekDayName(shortened), day-monthName(shortened)-year timestamp(00:00:00) GMT/UTC

        expire = cDate(expire)
        cookie_header = cookie_header & "expires=" &_ 
        weekday_name(WeekDay(expire),true) & ", " &_ 
        ZeroPad(Day(expire)) & "-" &_ 
        month_name(Month(expire),true) & "-" &_ 
        year(expire) & " " &_ 
        timeFromDate(expire) & " UTC; "

    end if

    cookie_header = cookie_header & "path=" & cookie_path & "; "

    ' HttpOnly means cookies can only be read over a HTTP (or HTTPS) connection.
    ' This prevents JavaScript from being able to read any cookies set as HttpOnly.
    ' HttpOnly should always be used unless you're setting a cookie that needs to
    ' be accessed by JavaScript (a CSRF token cookie for example).

    if http_only then
        cookie_header = cookie_header & "HttpOnly; "
    end if

    ' A "secure" cookie means the cookie can only be accessed over a HTTPS connection.
    ' If we try to create a secure cookie over a none HTTPS connection it will be 
    ' rejected by most browsers. So check the HTTPS protocol is ON before setting a
    ' cookie as secure. This check is particularly useful when running on a localhost,
    ' most localhosts don't use HTTPS, so trying to set a Secure cookie won't work. 

    if secure AND uCase(request.ServerVariables("HTTPS")) = "ON" then
        cookie_header = cookie_header & "Secure; "
    end if          

    ' Add the header and remove the trailing ";"

    response.AddHeader "Set-Cookie",left(cookie_header,len(cookie_header)-2)

end sub


' *********************************************************************************************************
' Delete a cookie   
' *********************************************************************************************************

sub delete_cookie(cookie_name)

    ' There is no header for deleting cookies. Instead, cookies are modified to a date that
    ' has already expired and the users browser will delete the expired cookie for us.

    response.AddHeader "Set-Cookie",cookie_name & "=; " &_
    "expires=Thu, 01-Jan-1970 00:00:00 UTC; path=/"

end sub


' *********************************************************************************************************
' When the LCID is set to 1033 (us) vbLongTime formats in 12hr with AM / PM, this is invalid for a cookie
' timestamp. Instead, we use vbShortTime which returns the hour and minute as 24hr with any LCID, then use
' vbLongTime to get the seconds, and join the two together.
' *********************************************************************************************************

function timeFromDate(ByVal theDate)
    Dim ts_secs : ts_secs = split(FormatDateTime(theDate,vbLongTime),":")       
    if uBound(ts_secs) = 2 then
        timeFromDate = FormatDateTime(theDate,vbShortTime) & ":" & left(ts_secs(2),2)
    else
        timeFromDate = "00:00:00"   
    end if
end function


' *********************************************************************************************************
' WeekDayName and MonthName will return a value in the native language based on the LCID.
' These are custom functions used to return the weekday and month names in english, 
' reguardless of the LCID
' *********************************************************************************************************

function weekday_name(weekday_val, shorten)

    select case weekday_val

        case 1
            if shorten then weekday_name = "Sun" else weekday_name = "Sunday"
        case 2
            if shorten then weekday_name = "Mon" else weekday_name = "Monday"
        case 3
            if shorten then weekday_name = "Tue" else weekday_name = "Tuesday"
        case 4
            if shorten then weekday_name = "Wed" else weekday_name = "Wednesday"
        case 5
            if shorten then weekday_name = "Thu" else weekday_name = "Thursday"
        case 6
            if shorten then weekday_name = "Fri" else weekday_name = "Friday"
        case 7
            if shorten then weekday_name = "Sat" else weekday_name = "Saturday"

    end select

end function

function month_name(month_val, shorten)

    select case month_val

        case 1
            if shorten then month_name = "Jan" else month_name = "January"
        case 2
            if shorten then month_name = "Feb" else month_name = "February"
        case 3
            if shorten then month_name = "Mar" else month_name = "March"
        case 4
            if shorten then month_name = "Apr" else month_name = "April"
        case 5
            month_name = "May"
        case 6
            if shorten then month_name = "Jun" else month_name = "June"
        case 7
            if shorten then month_name = "Jul" else month_name = "July"
        case 8
            if shorten then month_name = "Aug" else month_name = "August"
        case 9
            if shorten then month_name = "Sep" else month_name = "September"
        case 10
            if shorten then month_name = "Oct" else month_name = "October"
        case 11
            if shorten then month_name = "Nov" else month_name = "November"
        case 12
            if shorten then month_name = "Dec" else month_name = "December"

    end select

end function


' *********************************************************************************************************
' Prefix a 1 digit number with a 0. Used in date formatting
' *********************************************************************************************************

function zeroPad(theNum)
    if len(theNum) = 1 then
        zeroPad = cStr("0" & theNum)
    else
        zeroPad = theNum
    end if
end function

Beispiele:

' **************************************************************************************************************
' set_cookie(COOKIE NAME, COOKIE VALUE, COOKIE PATH, HTTPONLY (BOOLEAN), SECURE (BOOLEAN), EXPIRY DATE / LENGTH)
' **************************************************************************************************************

' Expire on a specific date: 

call set_cookie("cookie_name1","cookie value","/",true,true,"15 Jan 2019 12:12:12")
call set_cookie("cookie_name2","cookie value","/",true,true,"15 January 2019 12:12:12")

call set_cookie("cookie_name3","cookie value","/",true,true,"Jan 15 2019 12:12:12")
call set_cookie("cookie_name4","cookie value","/",true,true,"January 15 2019 12:12:12")

call set_cookie("cookie_name5","cookie value","/",true,true,"Jan 15 2019")
call set_cookie("cookie_name6","cookie value","/",true,true,"January 15 2019")

' Expire when the session ends (a sesson cookie):

call set_cookie("cookie_name7","cookie value","/",true,true,null)

' Specify an expiry length:

call set_cookie("cookie_name8","cookie value","/",true,true,"20 minutes")
call set_cookie("cookie_name9","cookie value","/",true,true,"1 hour")
call set_cookie("cookie_name10","cookie value","/",true,true,"10 days")
call set_cookie("cookie_name11","cookie value","/",true,true,"3 weeks")
call set_cookie("cookie_name12","cookie value","/",true,true,"1 year")

' Delete a cookie:

call delete_cookie("cookie_name")

' This would also work for deleting a cookie:

call set_cookie("cookie_name","","/",false,false,"-1 year")
0
Adam

alt aber gut, fügen Sie dies in einem global enthaltenen asp hinzu:

Dim AspSessionCookie
AspSessionCookie = Request.ServerVariables("HTTP_COOKIE")

If instr(AspSessionCookie,"ASPSESSIONID") > 0 Then
    AspSessionCookie = "ASPSESSIONID" & Split(AspSessionCookie,"ASPSESSIONID")(1)
    If  InStr(1,AspSessionCookie,";") then
        AspSessionCookie = Split(AspSessionCookie,";")(0)        
    End If

    Response.AddHeader "Set-Cookie", AspSessionCookie & ";HttpOnly"
End If
0
edestrero