Thursday, January 11, 2007

Secure ASPSESSIONID Cookies in IIS 4, 5 and 6.0

>From this great page on Microsoft's Help and Support Site:

When you use Active Server Pages (ASP) in Internet Information Server (IIS) 4.0 or Internet Information Services (IIS) 5.0, a session cookie is sent to a user's browser. This cookie identifies the user for the time that they are on the site. These cookies are sometimes called memory cookies, because they are never stored on the user's hard drive like a regular cookie. In reality, this is an additional header that is sent to the browser. Anytime a Web site sends additional information such as this, the browser is required to send it back with each request (provided the server name does not change). The following is an example of an ASP Session Cookie:
Set-Cookie: ASPSESSIONIDGQQGGLIC=HKEDPNNBNBBKMOCFFBEIJENM; path=/
HTTP is a stateless protocol, which means that every time a user connects to a Web site it is just like the first time they connected to the Web server. This is a problem in an environment where you store server-side information for users. The session cookie is a means of performing such tasks.

A problem can occur if developers decide to store confidential or sensitive information in the session. For example, if a developer writes a piece of ASP code that requests a user's credit card number, the developer can store this information in a session variable (session variables are linked to the session cookie) on the server. The user can then browse to a page that lists the information they entered (for example, an authorization page or an order confirmation page). The credit card (when the list is generated) may be pulled from a session variable. If so, this information may be at risk.


The Help and Support page linked to above covers IIS 4.0 and 5.0, however, the command that it lists at the end:

NOTE: After you apply the patch, run the following commands to enable secure cookies (this example enables them for site 1):\

cd c:\inetpub\AdminScripts
cscript adsutil.vbs set w3svc/1/AspKeepSessionIDSecure 1

Is correct for all versions of IIS.  For version 6.0 of IIS simply run that command and the ASPSESSIONID cookie will be set to secure.

3 comments:

Anonymous said...

Thanks for the IIS 6.0 comment...
do you know if there is anything that an ASP page developer needs to do in addition to this server-side mod?

--hrf

Anonymous said...

super, thanks!!!!

reflute said...

HRF,

That is the only change the is required for this particular cookie. If you are trying to secure additional cookies, you would have to made a code modification around where the cookie was set.