ASP Classic SSL Cookies how to do it right.
When I last updated my Cookie processes on one of my busy sites I started reading what was the best of using cookies. Like many I used physical cookies saved on the local machine. 20 years ago that cookie would have been in plain text. Today we hash and encrypt them so they can't be used easily. But because a cookie can be stolen the old versions aren't the best.
I switched to HTTP Header Cookies about a year or so ago. It was a learning experience. I lost some of the features I liked most, like auto login after 30 days. I know, that's a bit much but when you look at your favorite Social Media site your auto login may be in the form of a encrypted cookie for over a month.
Now, because we all are going to go SSL in 2017 unless you're just a blog site.
If you allow members to login, payments to be collected or anything that covers transmitting any type of information known by a person to another person you're going to what to have all your old ASP Classic code updated to allow for SSL HTTP Cookies.
Here's your current SSL Cookie solution. Well, my guess if you are using SSL you most likely are still using this method of storing data on the remote clients computer.
' Response.Cookies(strCookieName).Domain = strCookieDomain
' Response.Cookies(strCookieName).Path = "/"
' Response.Cookies(strCookieName)(strCookieKey) = strCookieValue
' Response.Cookies(strCookieName).Secure = True
Here's my code which should help those that are going to be updating others.
Response.AddHeader "Set-Cookie", strCookieName & "=" & strCookieKey & "=" & strCookieValue & "; expires=" & strGMTDateRFC22 & "; domain="& strCookieDomain &"; path=/; secure; HTTPOnly"
In the end, I've been able to manage cookies in both SSL and Non SSL environments. But, because the search world will be looking at me and you with a closer eye toward SSL I'll be making all my new sites that pass any information between users and my SQL under Secured Connections. My Encryption will be upgraded as well as my header cookie. No more txt saved to hard drives., please.
If you need a site review just ask. If you would like for me to setup your new cookies for your eCommerce site or any membership site feel free to contact me. It does take me time to review your code to make sure my fix is a once and one time fix.
Don't use Header Cookies as an excuse to upgrade your site. HTTP Cookies are not code dependent. Any one, and with any code can do this if they put effort and knowledge in it.
Email me. Use the contact page.
TECH NOTE: I'm on Windows 2008 R2 running IIS 7.5. I do use Web.Config but do not use it to rewrite my header. Why so many think this is the only solution tends to lean toward they don't know enough ASP Classic Creative Coding. :) (We create our own frameworks.)
I'll put my Web.Config HTTPOnly Outbound code in this page, "ASP Set-Cookie HTTPOnly" even if it's set by the ASP Code it should give you some options to test at least.