[WEB SECURITY] Classic ASP and HTTPOnly Cookies

Brian Shura bshura at sbcglobal.net
Fri Apr 11 18:36:00 EDT 2008


The only way I know of to do this would be to build an ISAPI filter that
modifies the “Set-Cookie” response header for the ASPSESSIONIDXXXXXXXX
cookie to add the HttpOnly flag to it.

But this is a lot of work for a small security enhancement.  For most
Classic ASP apps the time could probably be better spent making other
security improvements, like fixing the XSS, SQL Injection, and parameter
tampering issues that tend to be prevalent in these apps.


No virus found in this outgoing message.
Checked by AVG. 
Version: 7.5.519 / Virus Database: 269.22.12/1374 - Release Date: 4/11/2008
4:59 PM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080411/fb95a5fc/attachment.html>

More information about the websecurity mailing list