[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Classic ASP and HTTPOnly Cookies
- From: "Brian Shura" <bshura@xxxxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] Classic ASP and HTTPOnly Cookies
- Date: Fri, 11 Apr 2008 18:36:00 -0400
------=_NextPart_000_0014_01C89C02.E4478860
Content-Type: text/plain;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
Eric,
The only way I know of to do this would be to build an ISAPI filter that
modifies the =93Set-Cookie=94 response header for the =
ASPSESSIONIDXXXXXXXX
cookie to add the HttpOnly flag to it.
But this is a lot of work for a small security enhancement. For most
Classic ASP apps the time could probably be better spent making other
security improvements, like fixing the XSS, SQL Injection, and parameter
tampering issues that tend to be prevalent in these apps.
Brian
No virus found in this outgoing message.
Checked by AVG.=20
Version: 7.5.519 / Virus Database: 269.22.12/1374 - Release Date: =
4/11/2008
4:59 PM
=20
------=_NextPart_000_0014_01C89C02.E4478860
Content-Type: text/html;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dwindows-1250">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dblue>
<div class=3DSection1>
<p><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>Eric,<o:p></o:p></span></font></p>
<p><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>The only way I know of to do this would be to build an =
ISAPI
filter that modifies the “Set-Cookie” response header for =
the
ASPSESSIONIDXXXXXXXX cookie to add the HttpOnly flag to =
it.<o:p></o:p></span></font></p>
<p><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>But this is a lot of work for a small security =
enhancement.
For most Classic ASP apps the time could probably be better spent making =
other
security improvements, like fixing the XSS, SQL Injection, and parameter
tampering issues that tend to be prevalent in these =
apps.<o:p></o:p></span></font></p>
<p><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>Brian<o:p></o:p></span></font></p>
</div>
</body>
</html>
<BR>
<P><FONT SIZE=3D2>No virus found in this outgoing message.<BR>
Checked by AVG.<BR>
Version: 7.5.519 / Virus Database: 269.22.12/1374 - Release Date: =
4/11/2008 4:59 PM<BR>
</FONT> </P>
------=_NextPart_000_0014_01C89C02.E4478860--
Brought to you by http://www.webappsec.org
Search this site
|