by   February 27 2017   
Working with HTTPOnly Cookies my actually be easier than you think. For many of us it's the path to covering more browsers and offering a more secure way of storing data. I'm sharing my code with some easy encryption methods to keep that 14 year old from reading things in plain text. Full code with example site page.

ASP Classic Working with HTTPOnly Cookies

You can use the ideas of how the code works.
ASP Classic programming is 20% code knowledge, 20% creativity, 20% logical thinking skills, 20% debugging skills, 20% defiance toward "It can't be done" types.
Introduction: Adding a HTTPOnly cookie is simple when you are adding just one.
But, like our physical cookie Response.Cookies(strCookieName).Domain = xtremecomputer.com we can't write to our http header at any point. I have actually found issues of attempting to write more than 3 times on any single page load. Which brings me to a different method of creating my HTTPOnly Cookies.
 
This page has the major parts of my code. 
If you need everything Copy and Paste ready you'll need to see the ASP Code on my ASP Site that is linked below. 
The Code is on this page and the demo is on my ASP Classic website linked below.

What I would like for you to do is take your time, since the 90's I have developed a code base kind of like many platforms out on the internet, complete packages for websites. My code base is ASP Classic and evolves on the frontend only. I attempt to keep my frontend as light as possible and use server side to do the heavy work. Everyone has their own style of developing so not every code sampe fits all sites.(Maybe except this one.)

This cookie code can be put into place on top of anything you currently have with some careful review. 

Updated version 3.20.2017

The CALL

Call HTTPOnlyAddBIGCookie(strSite,strCookie,strDelimiter,strCookieInput,14,6,1,strEncrypt)

  •  strSite = friendly name of your site
  • strCookie = FULL RAW Cookie Request.ServerVariables("HTTP_COOKIE")
  • strDelimiter = the symbol you are using as your delimiter e.i. |
  • strCookieInput = Your cookie input
  • 14 = Keep Cookie Days
  • 6 = Time offset from GMT
  • 1 = 1 Add cookie name as session("XYZ") = 1 , No Session = 0
  • strEncrypt = 1 On 0 Off

The above call is what I am using on my TruckAndTools.Com website and will be updating all my other ASP Classic sites to the same. 

The MAIN FUNCTION

Function HTTPOnlyAddBIGCookie(strName,strRaw,strDelim,sKeyandValue,sDays,sTimeOffSet,sSession,sEncrypt)
Dim strCounterDelimiter,strCounterSeparator,arrNoiseWord
strCounterDelimiter = 0

'# Get full HTTPOnly Cookie
If Len(strRaw) = 0 Or InStr(strRaw,strName) = 0 Then
strRaw = Request.ServerVariables("HTTP_COOKIE")
End If

If sSession = "" Then
sSession = 0
End If

'# Set Cookie Time with Formating
'# Use any code option to set your GMT with proper format.
strGMTDateRFC22 = CookieServerUTC("d",sDays,sTimeOffSet,"GMT")

'# Extract Site Cookie from RAW Cookie
If InStr(strRaw,strName&"=") Then
strCHLen = Len(strName&"=")
j = InStrRev(strRaw, strName&"=")
if j > 0 Then
strCTemp = Mid(strRaw, j+strCHLen)
end if
j = InStr(strCTemp, ";")
if j > 0 Then
strCTemp = Left(strCTemp, j-1)
End If
sOld = strCTemp
End If
'# IF cookie size greater than 4k we need to create drop something here.
'# LenB()

'# Decode Extracted Cookie If you are encrypting using any method
If sEncrypt = 1 Then
strTemp = ShiftDecode(URLDecodeCookie(sOld),sEncrypt)
Else
strTemp = sOld
End If
strTemp = strTemp & sKeyandValue
'# Let's check to see if we have any cookies
strCounterDelimiter = len(strTemp) - len(replace(strTemp&sKeyandValue, strDelim, ""))

'# Let's check to see if we have any keys
strCounterSeparator = len(strTemp) - len(replace(strTemp&sKeyandValue, "=", ""))

'# Let's split our Keys and Values of our cookie up by our set Delimited
arrNoiseWord = Split(strTemp,strDelim)

For i = LBound(arrNoiseWord) to UBound(arrNoiseWord)
j = InStrRev(arrNoiseWord(i),"=")
If j>0 Then
strCTempValue = Mid(arrNoiseWord(i), j+1)
End If
j = InStr(arrNoiseWord(i),"=")
If j>0 Then
strCTempKey = Left(arrNoiseWord(i), j-1)
End If

'# Now for the part that checks your cookie against the new values and combines them as one cookie again.
'# I attempted to use Scripting Dictionary but found the Session method to be best for my needs.
'# As long as you check Keys and Values to be sure you update what you need, remove what you don't need
'# and save back to the cookie all other data.
If Len(strCTempValue) >= 1 Then
If Session("CookieString") <> "" Then
If ( InStr( 1, Session("CookieString"), strDelim&strCTempKey&"=", vbBinaryCompare ) = 0 ) Then
If ( instr( 1, strTemp, strCTempKey, vbBinaryCompare ) <> 0 ) Then
Session("CookieString") = Session("CookieString") & strDelim&strCTempKey&"="&strCTempValue
Session("CookieString") = Replace(Session("CookieString"),strDelim&""&strCTempKey&"="&strDelim,strDelim)
End If
Session("CookieString") = Replace(Session("CookieString"),strDelim&""&strCTempKey&"="&strDelim,strDelim)
End If
Else
Session("CookieString") = Session("CookieString") & strDelim&strCTempKey&"="&strCTempValue
Session("CookieString") = Replace(Session("CookieString"),strDelim&strCTempKey&"="&strDelim,strDelim)
End If
If sSession = 1 Then
Session(strCTempKey) = strCTempValue
End If
If sSession = 0 Then
Session.Contents.Remove(""&strCTempKey&"")
End If

End If
Next

'# When you remove the value and or key you are leaving the delimiter and equals sign which need to be removed.
Session("CookieString") = Replace(Session("CookieString"),strDelim&"="&strDelim,strDelim)
strTemp = Session("CookieString")
Session.Contents.Remove("CookieString")
If sSession = 0 Then
Session.Contents.Remove(""&strCTempKey&"")
End If

'# Let's remove any duplicates
strTemp = StripDuplicates(strTemp,strDelim)
'# Let's remove any empty keys
strTemp = Replace(strTemp,strDelim&"="&strDelim,strDelim)
'# Let's check the size of the cookie. This is an estimate and added as a cookie to read. ec=estimated cookie size in bytes
str = LenB(strTemp)
strTemp = strTemp & strDelim&"ec="&str

'# If you are encrypting your cookie or using obscurity NEVER use plain text.
If sEncrypt = 1 Then
sCombined = URLEncodeCookie(ShiftEncode(strTemp,sEncrypt))
strCookieCZ = LenB(sCombined)
strCookieLenB = URLEncodeCookie(ShiftEncode(strDelim&"cz="&strCookieCZ,sEncrypt))
Else
sCombined = strTemp
strCookieCZ = LenB(sCombined)
strCookieLenB = strDelim&"ec="&strCookieCZ
End If
'# Now we need to know if it's SSL or NON SSL and even the port.
strPortSecure = Request.ServerVariables("SERVER_PORT_SECURE")
strPort = Request.ServerVariables("SERVER_PORT")
'# If Secured Port
If strPortSecure = 1 Then
Response.AddHeader "Set-Cookie", strName & "=" & sCombined & ""&strCookieLenB&"; expires=" & strGMTDateRFC22 & "; domain="& strHostByName &"; path=/; Secure; HTTPOnly"
Else
Response.AddHeader "Set-Cookie", strName & "=" & sCombined & ""&strCookieLenB&"; expires=" & strGMTDateRFC22 & "; domain="& strHostByName &"; path=/; HTTPOnly"
End If

End Function

 

Summary: using HTTP Cookie Only in ASP Classic code you lengthen the time you can use your classic code. Let me show you how I handle cookies on my ASP Classic sites.

How to read your HTTP Cookie

Reading your custom HTTP Cookie information

Encrypting custom HTTP Cookie information

Creating GMT Time Stamp function for your HTTP Cookie

Create your HTTP Cookie

Read, Decrypt, Split your Cookie

Let's Decrypt things.

Last, I will update how to submit several Key's and Values to your HTTPOnly Cookie now that you know how to use them correctly.

Working with HTTPOnly Cookies my actually be easier than you think. For many of us it's the path to covering more browsers and offering a more secure way of storing data. I'm sharing my code with some easy encryption methods to keep that 14 year old from reading things in plain text. Full code with example site page.