How to secure classic ASP ASPSESSIONID cookie?

The answer is no there isn't There isn't on the standard UI provided by IIS manager. However, you can enable secure cookies for the SessionID via the AspKeepSessionIDSecure Metabase value


I run this command:

CSCRIPT C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/1/AspKeepSessionIDSecure 1

More information here: http://blogs.msdn.com/b/rahulso/archive/2007/06/19/cookies-case-study-with-ssl-and-frames-classic-asp.aspx


As found here, an UrlRewrite rule can handle this.

The rules below handle it for adding both HttpOnly and Secure if they are missing on the ASPSESSIONID cookie. (For other cookies, normally they are emitted by the site ASP code: better handle that directly in the code responsible for them.)

<system.webServer>
  <rewrite>
    <outboundRules>
      <rule name="Add HttpOnly" preCondition="No HttpOnly">
        <match serverVariable="RESPONSE_Set_Cookie" pattern="\s*ASPSESSIONID.*" />
        <action type="Rewrite" value="{R:0}; HttpOnly" />
      </rule>
      <rule name="Add Secure" preCondition="No Secure">
        <match serverVariable="RESPONSE_Set_Cookie" pattern="\s*ASPSESSIONID.*" />
        <action type="Rewrite" value="{R:0}; Secure" />
        <conditions>
          <add input="{HTTP_HOST}" pattern="localhost" negate="true" />
        </conditions>
      </rule>
      <preConditions>
        <preCondition name="No HttpOnly">
          <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
        </preCondition>
        <preCondition name="No Secure" logicalGrouping="MatchAll">
          <add input="{RESPONSE_Set_Cookie}" pattern="; Secure" negate="true" />
        </preCondition>
      </preConditions>
    </outboundRules>
  </rewrite>
</system.webServer>

If UrlRewrite is not installed in the IIS Server, this will crash the site.

Note that the Secure rule should not be applied if the site is legitimately accessed over http instead of https, thus the condition for not emitting it when browsing it locally. If Secure is emitted for a site accessed over http from the client end, the client will not send the cookie back to the server.

(I avoid testing the inbound protocol, because the sites I work on are not supposed to be accessed on http anyway, excepted eventually directly from their hosting server or load-balancer.)

I have previously tried using asp/session/keepSessionIdSecure, but it has no effect (at least for a site behind a load-balancer terminating the https and accessing the site server over http). This setting is the modern version (IIS 7+) of the AspKeepSessionIDSecure Metabase value pointed by AnthonyWJones answer.