How to secure classic ASP ASPSESSIONID cookie?
The answer is no there isn't There isn't on the standard UI provided by IIS manager. However, you can enable secure cookies for the SessionID via the AspKeepSessionIDSecure Metabase value
I run this command:
CSCRIPT C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/1/AspKeepSessionIDSecure 1
More information here: http://blogs.msdn.com/b/rahulso/archive/2007/06/19/cookies-case-study-with-ssl-and-frames-classic-asp.aspx
As found here, an UrlRewrite rule can handle this.
The rules below handle it for adding both HttpOnly
and Secure
if they are missing on the ASPSESSIONID
cookie. (For other cookies, normally they are emitted by the site ASP code: better handle that directly in the code responsible for them.)
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern="\s*ASPSESSIONID.*" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
</rule>
<rule name="Add Secure" preCondition="No Secure">
<match serverVariable="RESPONSE_Set_Cookie" pattern="\s*ASPSESSIONID.*" />
<action type="Rewrite" value="{R:0}; Secure" />
<conditions>
<add input="{HTTP_HOST}" pattern="localhost" negate="true" />
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
<preCondition name="No Secure" logicalGrouping="MatchAll">
<add input="{RESPONSE_Set_Cookie}" pattern="; Secure" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
If UrlRewrite is not installed in the IIS Server, this will crash the site.
Note that the Secure
rule should not be applied if the site is legitimately accessed over http
instead of https
, thus the condition for not emitting it when browsing it locally. If Secure
is emitted for a site accessed over http
from the client end, the client will not send the cookie back to the server.
(I avoid testing the inbound protocol, because the sites I work on are not supposed to be accessed on http
anyway, excepted eventually directly from their hosting server or load-balancer.)
I have previously tried using asp/session/keepSessionIdSecure, but it has no effect (at least for a site behind a load-balancer terminating the https and accessing the site server over http). This setting is the modern version (IIS 7+) of the AspKeepSessionIDSecure
Metabase value pointed by AnthonyWJones answer.