Cookies case study - with SSL - and Frames (classic ASP)

This blog post intends to shed some light on the default behavior of a few things related to cookies in conjunction with SSL and Frameset. After reading through this post, you should have a better understanding of how things should ideally look like, so that if there is something wrong you can easily identify (and fix) that.

Before we begin you need to have Fiddler2 installed on your client box. It is an HTTP debugger and using this you should be able to see the cookies (yes even with SSL!). If you don't want to install it, its okay, but in that case you would need to trust me more than your eyes and you won't be able to see what I haven't written ;-) So, please install fiddler if you haven't already have.

Create any Virtual Directory in your IIS and create 3 files as follows...

1. framedpage.asp
<HTML>
  <FRAMESET rows="30%,70%">
    <FRAME src="top.asp">
    <FRAME src="bottom.asp">
  </FRAMESET>
</HTML>

2. top.asp
<%
  Response.Write Request.ServerVariables("HTTP_COOKIE")
  Response.Write "<HR>"
%>

3. bottom.asp (same as top.asp)
<%
  Response.Write Request.ServerVariables("HTTP_COOKIE")
  Response.Write "<HR>"
%>

Now, enable SSL on your website. Open a command prompts and go to C:\Inetpub\AdminScripts

Issue the following command and reset IIS> adsutil set w3svc/1/AspKeepSessionIDSecure 0

To know more about Secure cookies read KB 274149. Start Fiddler and browse to the page https://<servername>/<Vd>/framedpage.asp. You will notice that both the panes will show the same result

session

Let’s have a look at Fiddler and see what is shows…

GET /Frame/framedpage.asp HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727)
Host: rahulserver
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQTRTQBT=NHMDAAPAFPENBJOFCONMMLMM
HTTP/1.1 200 OK
Date: Fri, 08 Jun 2007 23:04:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 108
Content-Type: text/html
Cache-control: private

GET /Frame/bottom.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/ag-plugin, */*
Referer: https://rahulserver/Frame/framedpage.asp
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727)
Host: rahulserver
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQTRTQBT=NHMDAAPAFPENBJOFCONMMLMM
HTTP/1.1 200 OK
Date: Fri, 08 Jun 2007 23:04:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 49
Content-Type: text/html
Cache-control: private

GET /Frame/top.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/ag-plugin, */*
Referer: https://rahulserver/Frame/framedpage.asp
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727)
Host: rahulserver
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQTRTQBT=NHMDAAPAFPENBJOFCONMMLMM
HTTP/1.1 200 OK
Date: Fri, 08 Jun 2007 23:04:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 49
Content-Type: text/html
Cache-control: private

Notice the ASPSessionID in red above. All of them are same!!!

Now, issue the following command and reset IIS again> adsutil set w3svc/1/AspKeepSessionIDSecure 1

Browse again and now see the difference in Fiddler…

Let’s have a look at fiddler traces now…

GET /Frame/framedpage.asp HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727)
Host: rahulserver
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQUTTSQAT=IBCPNAPAGKIMMPBLFGMJPIJM

HTTP/1.1 200 OK
Date: Fri, 08 Jun 2007 23:10:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 108
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQUTTSQAT=JBCPNAPAJCJHIGGEGDFCGMGE; secure; path=/
Cache-control: private

GET /Frame/top.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/ag-plugin, */*
Referer: https://rahulserver/Frame/framedpage.asp
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727)
Host: rahulserver
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQUTTSQAT=JBCPNAPAJCJHIGGEGDFCGMGE

HTTP/1.1 200 OK
Date: Fri, 08 Jun 2007 23:10:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 49
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQUTTSQAT=KBCPNAPAICGGPAHELKHGEKCN; secure; path=/
Cache-control: private

GET /Frame/bottom.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/ag-plugin, */*
Referer: https://rahulserver/Frame/framedpage.asp
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727)
Host: rahulserver
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQUTTSQAT=JBCPNAPAJCJHIGGEGDFCGMGE

HTTP/1.1 200 OK
Date: Fri, 08 Jun 2007 23:10:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 49
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQUTTSQAT=LBCPNAPALFJPFOKMIKLCKMHM; secure ; path=/
Cache-control: private

If you notice, the same three requests from the same server, but instead of creating the same cookie and passing it back and forth from the IE Client, the Server decides to send new COOKIE each time. Also notice, the header Set-Cookie now has another parameter saying “secure” .

Keep in mind though, that we don't use Sessions in ANY of the 3 ASP pages we created above. If you use session in any of your pages, you will not see Set-Cookie header being sent for all your Pages. Instead, it will be sent just once and the same cookie will be transmitted back and forth between your server and client (for the same session).

CONCLUSION
============
1. If you have set adsutil set w3svc/1/AspKeepSessionIDSecure 0, you will see a regular NON-Secure cookie being sent by the server to the client for the first request. You will see that the same cookie is passed back and forth and this behavior doesn't depend on the usage of Sessions in your ASP Pages.

2. If you have set adsutil set w3svc/1/AspKeepSessionIDSecure 1, AND you are NOT USING Sessions... you will see a Secure cookie being sent by the server to the client for each request. If you are using frames, all the pages will receive a new Secure cookie on each request as you can see by the Fiddler traces above. (Notice that framedpage.asp, top.asp and bottom.asp, all three got a Set-Cookie response from the server with a different ASPSessionID).

3. If you have set adsutil set w3svc/1/AspKeepSessionIDSecure 1, AND you are USING Sessions... you will see a Secure cookie being sent by the server to the client for first request and then the same cookie is passed back and forth for the complete browser session.

NB -> Cookie in the Conclusion section refer to ASPSessionID cookie.

Hope this helps.
Rahul

Share this post :