Secure Session ID Cookies on IIS6 Using Metabase And Classic ASP

I have been looking for a solution to this problem for weeks! How do you mark a cookie as secure so that it will only be transmitted via an SSL connection in IIS6? The first (and best) solution is so simple that I am annoyed by the amount of time I wasted on workarounds (solution 2).

Please keep in mind these are two different solutions. I suggest using the first one or the second one (if you have to) but not both together.

Solution 1

  1. Enable Direct Metabase Editing- As it mentions this allows you to edit the Metabase.xml file while running IIS.
  2. Navigate to and open the Metabase.xml file.
  3. Change the value of the property ASPKeepSessionIDSecure to equal “1” instead of “0”. Note the number must be in quotes.

More Metabase Properties:

Solution 2

I do not suggest this approach as it seems to require an extra trip to the server for the cookie to be marked secure. In which if you think about it, still leaves you vulnerable to being packed sniffed. The attacker can get your session cookie prior to you logging in and since the same cookie gets marked secure, he could then use the insecure cookie with your same session ID to hijack your session. This can be mitigated however by requiring SSL for the directory the user is browsing.

Nonetheless here is the code that marks your cookie secure. It must be included on every page through a sort of server side include.

' secureAspSessionCookie
' Notes:
'	If on SSL takes asp session cookie and marks it secure. If user changes
'	to non-SSL, new cookie is issued.
Function secureAspSessionCookie() 
    If Request.ServerVariables("HTTPS") = "on" Then         
        Dim AspSessionCookie
        AspSessionCookie = Request.ServerVariables("HTTP_COOKIE")
        If len(AspSessionCookie) > 0 Then
            AspSessionCookie = "ASPSESSIONID" & Split(AspSessionCookie,"ASPSESSIONID")(1)
            If InStr(1, AspSessionCookie, ";") then
                AspSessionCookie = Split(AspSessionCookie, ";")(0)                     
            End If
            Response.AddHeader "Set-Cookie", AspSessionCookie & "; Secure; Path=/"  
        End If
    End If
End Function


How to Add X-Frame-Options In Classic ASP

This is how you add the x-frame-options header to your page in ASP. This can also be done in IIS.
Using the x-frame-options header will prevent your page from being displayed inside another frame, discouraging click-jacking. There are a few different ways to set it up.

1. Your first option is to deny ALL attempts to frame your page.

<% Response.AddHeader "X-FRAME-OPTIONS", "DENY" %>

2. The second option denies ALL attempts to frame your page by any another website not your own.

<% Response.AddHeader "X-FRAME-OPTIONS", "SAMEORIGIN" %>

3. The third option specifies exactly which websites can frame your page. While this option is likely the one you’d use, it is not supported by all browsers such as Chrome and Safari. 🙁
Good thing there is an online test to see which of these your browser supports.

<% Response.AddHeader "X-FRAME-OPTIONS", "Allow-From" %>

How to Keep a JavaScript or CSS File From Caching

Depending on your browser and server settings sometimes JavaScript and CSS files are cached while you are trying to modify a webpage. Here is a quick copy/paste way to assure this happens if you are using PHP or ASP (Classic ASP but I think it should work in .NET as well). Please note the only reason you would want to do this is to assure every time you hit the page you are trying to modify, a fresh copy of the CSS or JavaScript file is downloaded. This should be removed when your site hits production.

Please excuse my wordpress code plugin. It doesn’t seem to be converting less and greater than characters correctly.