Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.2k views
in Technique[技术] by (71.8m points)

vbscript - Adding Same-site; Secure to Cookies in Classic ASP

We are running a classic ASP website, and having issues with Cookies in Chrome browser. Chrome is enforcing the cookie to be set securely (https://www.chromestatus.com/feature/5633521622188032)

We are setting a cookie as follows:

Response.AddHeader "Set-Cookie", "TestCookie=This is a Test; path=/; SameSite=None; Secure" 
Response.Cookies("TestCookie").Expires = Date + 1

However, this has issues with Chrome, where sessions end abruptly when a resource of a different domain is called.

Chrome's cookie details show this:

Send for
Same-site connections only

Note there is no mention of "secure" as I think there should be. What is the correct way of setting the Cookie in classic ASP for this?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

There is a problem with your current approach to setting the Response Cookie.

By using Response.Cookies after setting the header using Set-Cookie you are in effect creating a new empty cookie called "TestCookie". Instead, you want to incorporate the expiry into the existing Set-Cookie header.

Testing your code, this is the Response header contents:

Response Headers

<%
Function FormatCookieDateTime(interval, value, tz)
  Dim dt: dt = DateAdd(interval, value, Date())
  Dim tm: tm = Time()
  Dim result: result = WeekDayName(WeekDay(dt), True) & ", " & _
    Right("00" & Day(dt), 2) & "-" & _
    MonthName(Month(dt), True) & "-" & _
    Year(dt) & " " & _
    Right("00" & Hour(Time()), 2) & ":" & _
    Right("00" & Minute(Time()), 2) & ":" & _
    Right("00" & Second(Time()), 2) & " " & tz
  
  FormatCookieDateTime = result
End Function

Response.AddHeader "Set-Cookie", "TestCookie=This is a Test; path=/; SameSite=None; Secure; expires=" & FormatCookieDateTime("d", 1, "GMT")
%>

Built a function that makes setting the expiry using the correct format easier.

Remember Secure is for Secure Connections

Because you are setting two cookies (one via AddHeader() and one via Response.Cookie) it might not be clear but the first cookie with Secure set will be ignored by chrome if the connection is not using HTTPS. In fact, if you look at the request in Chrome Dev Tools you should see a warning symbol next to the Set-Cookie header that says (when hovered over) something along the lines of;

This set-cookie had the "Secure" attribute but was not received over a secure connection.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...