设置的HttpOnly传统的ASP会话Cookie
有谁知道如何设置的HttpOnly在传统的ASP会话cookie?
Does anyone know exactly how to set HTTPONLY on classic ASP session cookies?
这是被举报的漏洞扫描和修复需要尽快的最后一件事,所以任何帮助是AP preciated。
This is the final thing that's been flagged in a vulnerability scan and needs fixing ASAP, so any help is appreciated.
~~~多一点信息我的问题~~~
~~~A LITTLE MORE INFORMATION ON MY PROBLEM~~~
任何人都可以请帮我这个?
我需要知道如何设置上的HttpOnly从ASP&放默认创建的ASPSESSION饼干; IIS。
I need to know how to set HTTPONLY on the ASPSESSION cookie created by default from ASP & IIS.
这是由服务器自动对所有的ASP页面创建的cookie中。
This is the cookie automatically created by the server for all asp pages.
如果需要,我可以设置仅Http在整个网站上所有的cookie。
If needed i can set HTTPONLY on all cookie across the site.
这是如何做到这将是大量的AP preciated任何帮助。
Any help on how to do this would be massively appreciated.
感谢
谢谢
艾略特
微软包括使用ISAPI筛选器所有出站的cookie的例子:http://msdn.microsoft.com/en-us/library/ms972826
Microsoft includes an example using an ISAPI filter to all outbound cookies: http://msdn.microsoft.com/en-us/library/ms972826
或href=\"http://forums.iis.net/p/1168473/1946312.aspx\">http://forums.iis.net/p/1168473/1946312.aspx
or URL rewriting could be used http://forums.iis.net/p/1168473/1946312.aspx
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>