How exactly do you configure httpOnly Cookies in ASP Classic?

Response.AddHeader "Set-Cookie", "mycookie=yo; HttpOnly"

Other options like expires, path and secure can be also added in this way. I don't know of any magical way to change your whole cookies collection, but I could be wrong about that.


If you run your Classic ASP web pages on IIS 7/7.5, then you can use the IIS URL Rewrite module to write a rule to make your cookies HTTPOnly.

Paste the following into the section of your web.config:

<rewrite>
    <outboundRules>
        <rule name="Add HttpOnly" preCondition="No HttpOnly">
            <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
            <action type="Rewrite" value="{R:0}; HttpOnly" />
            <conditions>
            </conditions>
        </rule>
        <preConditions>
            <preCondition name="No HttpOnly">
                <add input="{RESPONSE_Set_Cookie}" pattern="." />
                <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
            </preCondition>
        </preConditions>
    </outboundRules>
</rewrite>

See here for the details: http://forums.iis.net/t/1168473.aspx/1/10

For background, HTTPOnly cookies are required for PCI compliance reasons. The PCI standards folks (for credit card security) make you have HTTPOnly on your sessionID cookies at the very least in order to help prevent XSS attacks.

Also, at the current time (2-11-2013), all major browser support the HTTPOnly restriction on cookies. This includes current versions of IE, Firefox, Chrome and Safari.

See here for more info on how this works and support by various browser versions: https://www.owasp.org/index.php/HTTPOnly


You need to append ";HttpOnly" to the Response cookies collection.