Cookies case study - with SSL - and Frames (classic ASP)
This blog post intends to shed some light on the default behavior of a few things related to cookies in conjunction with SSL and Frameset. After reading through this post, you should have a better understanding of how things should ideally look like, so that if there is something wrong you can easily identify (and fix) that.
Before we begin you need to have Fiddler2 installed on your client box. It is an HTTP debugger and using this you should be able to see the cookies (yes even with SSL!). If you don't want to install it, its okay, but in that case you would need to trust me more than your eyes and you won't be able to see what I haven't written ;-) So, please install fiddler if you haven't already have.
Create any Virtual Directory in your IIS and create 3 files as follows...
1. framedpage.asp
<HTML>
<FRAMESET rows="30%,70%">
<FRAME src="top.asp">
<FRAME src="bottom.asp">
</FRAMESET>
</HTML>
2. top.asp
<%
Response.Write Request.ServerVariables("HTTP_COOKIE")
Response.Write "<HR>"
%>
3. bottom.asp (same as top.asp)
<%
Response.Write Request.ServerVariables("HTTP_COOKIE")
Response.Write "<HR>"
%>
Now, enable SSL on your website. Open a command prompts and go to C:\Inetpub\AdminScripts
Issue the following command and reset IIS> adsutil set w3svc/1/AspKeepSessionIDSecure 0
To know more about Secure cookies read KB 274149. Start Fiddler and browse to the page https://<servername>/<Vd>/framedpage.asp. You will notice that both the panes will show the same result
Let’s have a look at Fiddler and see what is shows…
GET /Frame/framedpage.asp HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727)
Host: rahulserver
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQTRTQBT=NHMDAAPAFPENBJOFCONMMLMM
HTTP/1.1 200 OK
Date: Fri, 08 Jun 2007 23:04:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 108
Content-Type: text/html
Cache-control: private
GET /Frame/bottom.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/ag-plugin, */*
Referer: https://rahulserver/Frame/framedpage.asp
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727)
Host: rahulserver
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQTRTQBT=NHMDAAPAFPENBJOFCONMMLMM
HTTP/1.1 200 OK
Date: Fri, 08 Jun 2007 23:04:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 49
Content-Type: text/html
Cache-control: private
GET /Frame/top.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/ag-plugin, */*
Referer: https://rahulserver/Frame/framedpage.asp
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727)
Host: rahulserver
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQTRTQBT=NHMDAAPAFPENBJOFCONMMLMM
HTTP/1.1 200 OK
Date: Fri, 08 Jun 2007 23:04:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 49
Content-Type: text/html
Cache-control: private
Notice the ASPSessionID in red above. All of them are same!!!
Now, issue the following command and reset IIS again> adsutil set w3svc/1/AspKeepSessionIDSecure 1
Browse again and now see the difference in Fiddler…
Let’s have a look at fiddler traces now…
GET /Frame/framedpage.asp HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727)
Host: rahulserver
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQUTTSQAT=IBCPNAPAGKIMMPBLFGMJPIJM
HTTP/1.1 200 OK
Date: Fri, 08 Jun 2007 23:10:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 108
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQUTTSQAT=JBCPNAPAJCJHIGGEGDFCGMGE; secure; path=/
Cache-control: private
GET /Frame/top.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/ag-plugin, */*
Referer: https://rahulserver/Frame/framedpage.asp
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727)
Host: rahulserver
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQUTTSQAT=JBCPNAPAJCJHIGGEGDFCGMGE
HTTP/1.1 200 OK
Date: Fri, 08 Jun 2007 23:10:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 49
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQUTTSQAT=KBCPNAPAICGGPAHELKHGEKCN; secure; path=/
Cache-control: private
GET /Frame/bottom.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/ag-plugin, */*
Referer: https://rahulserver/Frame/framedpage.asp
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727)
Host: rahulserver
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQUTTSQAT=JBCPNAPAJCJHIGGEGDFCGMGE
HTTP/1.1 200 OK
Date: Fri, 08 Jun 2007 23:10:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 49
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQUTTSQAT=LBCPNAPALFJPFOKMIKLCKMHM; secure ; path=/
Cache-control: private
If you notice, the same three requests from the same server, but instead of creating the same cookie and passing it back and forth from the IE Client, the Server decides to send new COOKIE each time. Also notice, the header Set-Cookie now has another parameter saying “secure” .
Keep in mind though, that we don't use Sessions in ANY of the 3 ASP pages we created above. If you use session in any of your pages, you will not see Set-Cookie header being sent for all your Pages. Instead, it will be sent just once and the same cookie will be transmitted back and forth between your server and client (for the same session).
CONCLUSION
============
1. If you have set adsutil set w3svc/1/AspKeepSessionIDSecure 0, you will see a regular NON-Secure cookie being sent by the server to the client for the first request. You will see that the same cookie is passed back and forth and this behavior doesn't depend on the usage of Sessions in your ASP Pages.
2. If you have set adsutil set w3svc/1/AspKeepSessionIDSecure 1, AND you are NOT USING Sessions... you will see a Secure cookie being sent by the server to the client for each request. If you are using frames, all the pages will receive a new Secure cookie on each request as you can see by the Fiddler traces above. (Notice that framedpage.asp, top.asp and bottom.asp, all three got a Set-Cookie response from the server with a different ASPSessionID).
3. If you have set adsutil set w3svc/1/AspKeepSessionIDSecure 1, AND you are USING Sessions... you will see a Secure cookie being sent by the server to the client for first request and then the same cookie is passed back and forth for the complete browser session.
NB -> Cookie in the Conclusion section refer to ASPSessionID cookie.
Hope this helps.
Rahul
Share this post : |
Comments
Anonymous
June 27, 2007
Considering the conclusion # 3 above, how would it behave if the website starts off on HTTP, but moves to HTTPS subsequently. Will the same session id cookie continue to be used after moving to HTTPS? Second question: Does setting "adsutil set w3svc/1/AspKeepSessionIDSecure 1" enable secure sessionid cookies for all websites on the server?Anonymous
June 27, 2007
Hi Pankaj, It would be a very simple test to do. You can download Fiddler2 and check it. I would have done it for you, but I am with limited resources now since I am on a vacation. IMO, Answer 1 (I haven't cross-checked it in Fiddler)> As soon as it moves to https, the session id cookie should change and become secure. And that secure cookie will be passed back and forth. Regarding the 2nd question, adsutil is setting the secureid for only W3SVC/<Site identifier = 1> (in my case it is the root/default website). If you have any other website, it is not going to make it secure. You will have to set it accordingly. HTH RahulAnonymous
July 31, 2007
Hi, I had been facing the same in my application. your article is nice and easy to grasp. But it is not working in application well you please help me. I am using fiddler for my application through SSL. The session id is not go with secure as u mentioned in your article. Though i dont know u made a miskate or me done anywhere. Help me out. Regards, BalaAnonymous
August 19, 2008
does Fiddler2 support interent explorer 6?Anonymous
September 13, 2009
hi i am jai i want to this case study