PCI Compliance with ASP on IIS

There is a potential PCI compliance issue with IIS and ASP. This entry is intended as an indicator in case you are moving to web based PCI compliance.
For IIS6

The following gives information on the subject ...




One solution is via a parameter in the Metabase.xml file on IIS called KeepASPCookieSecure, via the actual parameter AspKeepSessionIDSecure (ref
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/0d49cbc8-10e1-4fa8-ba61-c34e524a3ae6.mspx?mfr=true ). Amending the Metabase.xml file should made the IIS ASP PCI compliant.
For IIS7 and IIS7.5
Check the Configuration Reference (http://www.iis.net/configreference) for Session Properties.

In IIS 7/7.5 the parameters have changed (do a search for AspKeepSessionIDSecure) to ASP Session <session> along with some other settings in the same area.

Just a little bit more information on this – re

Couple of posts of interest …

If you are using IIS7 or IIS7.5 and install the URL Rewriting add-in then you can do this. You can create a rewriting rule that adds "HttpOnly" to any out going "Set-Cookie" headers. Paste the following into the <system.webServer> section of your web.config. I then used Fiddler to prove the output.

<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />


Out of the box IIS does not have an option to set HttpOnly for the ASP Session cookie, or any application generated cookies either.

For the ASP session cookie you have two options as solutions. If you are using IIS7+ then you can use the URL Rewriting add-in for IIS to add "; HttpOnly" to any Set-Cookie header leaving the web server that doesn't already have it on. This is the easist option.


Add Feedback