Secure Session ID Cookies on IIS6 Using Metabase And Classic ASP

I have been looking for a solution to this problem for weeks! How do you mark a cookie as secure so that it will only be transmitted via an SSL connection in IIS6? The first (and best) solution is so simple that I am annoyed by the amount of time I wasted on workarounds (solution 2).

Please keep in mind these are two different solutions. I suggest using the first one or the second one (if you have to) but not both together.

Solution 1

  1. Enable Direct Metabase Editing- As it mentions this allows you to edit the Metabase.xml file while running IIS.
    1
  2. Navigate to and open the Metabase.xml file.
    2
  3. Change the value of the property ASPKeepSessionIDSecure to equal “1” instead of “0”. Note the number must be in quotes.
    3

More Metabase Properties: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/0d49cbc8-10e1-4fa8-ba61-c34e524a3ae6.mspx?mfr=true

Solution 2

I do not suggest this approach as it seems to require an extra trip to the server for the cookie to be marked secure. In which if you think about it, still leaves you vulnerable to being packed sniffed. The attacker can get your session cookie prior to you logging in and since the same cookie gets marked secure, he could then use the insecure cookie with your same session ID to hijack your session. This can be mitigated however by requiring SSL for the directory the user is browsing.

Nonetheless here is the code that marks your cookie secure. It must be included on every page through a sort of server side include.

<%
'///////////////////////////////////////////////
' secureAspSessionCookie
''''''''''''''''''''''''''''''''''''''''''''''''
' Notes:
'	If on SSL takes asp session cookie and marks it secure. If user changes
'	to non-SSL, new cookie is issued.
'////////////////////////////////////////////////
Function secureAspSessionCookie() 
    If Request.ServerVariables("HTTPS") = "on" Then         
        Dim AspSessionCookie
        AspSessionCookie = Request.ServerVariables("HTTP_COOKIE")
        If len(AspSessionCookie) > 0 Then
            AspSessionCookie = "ASPSESSIONID" & Split(AspSessionCookie,"ASPSESSIONID")(1)
            If InStr(1, AspSessionCookie, ";") then
                AspSessionCookie = Split(AspSessionCookie, ";")(0)                     
            End If
            Response.AddHeader "Set-Cookie", AspSessionCookie & "; Secure; Path=/"  
        Else
            Response.redirect(Request.ServerVariables("URL"))     
        End If
    End If
End Function
    secureAspSessionCookie() 
%>

Source: http://stackoverflow.com/questions/2099777/classic-asp-how-to-check-if-aspsessionid-cookie-has-been-marked-as-secure