Clever Geek Handbook

Error accessing cookies when the cookie is unnamed

On some of the classic ASP websites I've been managing over the past few days, I get error notifications (no error number) that always show an error in the line number where the cookie value is requested.

Looking at the request for each of these errors, they all have unusual cookies and look like a hack attempt.

Lines marked as causing an error look like this:

strCookieCart = Request.Cookies("cart")

Here's a couple of cookie samples being sent (truncated) ... Note =true

(no name, just value).

HTTP_COOKIE:=true; yuv=u97Yoe-o0UWp7ho_vaB2csT-xxaQ37gMWzhB1MARTSNk1QKpjJTXmZYMRQ095rM96MaNbhx1tEdJ

HTTP_COOKIE:pll_language=en; =true; yandexuid=6536735381437958890; st=6c9838994ffb

Is Classic ASP incapable of handling this? Is there a way to avoid these errors and ignore the bad values? Could they always be hacking attempts or could there be legitimate requests without cookie names?

I guess I can check what they are looking at Request.ServerVariables("HTTP_COOKIE")

by manually parsing or using a regex check of some sort. Does anyone else do this? Any exchange code?

+3


source to share


3 answers


The second answer to my question and the solution I have now followed is to add the following code to my general include file.

It checks if Classic ASP can read cookies and, using error trapping, terminates the response if an error is encountered.



On Error Resume Next
Request.Cookies("test")
If Err.Number <> 0 Then Response.End
On Error Goto 0

This is the best solution for my other answer as there is no point in creating a page for what is obviously an attack of some kind, so the script ends as soon as possible.

+2


source


My suggested answer to my question is to create a class that retrieves all valid keys and values ​​for cookies on initialization, and has a function to return a value for a specified key.

Unfortunately this doesn't work for cookies containing a set of multiple values, but I don't use them at all.

Here is the class:

<%
Class MyRequest
    Private m_objCookies

    Private Sub Class_Initialize()
        Dim strCookies, i, strChar, strName, strValue, blnInValue
        strCookies = Request.ServerVariables("HTTP_COOKIE")
        Set m_objCookies = Server.CreateObject("Scripting.Dictionary")
        i = 1
        strName = ""
        strValue = ""
        blnInValue = False
        Do
            strChar = Mid(strCookies, i, 1)
            If strChar = ";" Or i = Len(strCookies) Then
                strValue = Trim(strValue)
                If strName <> "" And strValue <> "" Then
                    If m_objCookies.Exists(strName) Then
                        m_objCookies.Item(strName) = strValue
                    Else
                        m_objCookies.Add strName, strValue
                    End If
                End If
                If i = Len(strCookies) Then Exit Do 
                strName = ""
                strValue = ""
                blnInValue = False
            ElseIf strChar = "=" Then
                strName = Trim(strName)
                blnInValue = True
            ElseIf blnInValue Then
                strValue = strValue & strChar
            Else
                strName = strName & strChar
            End If
            i = i + 1
        Loop
    End Sub

    Public Function Cookies(strKey)
        Cookies = m_objCookies.Item(strKey)
    End Function
End Class
%>

The changes in my code to use this class are minimal. Where am I currently ...



strCookieCart = Request.Cookies("cart")

I will need to change ...

Dim objMyRequest : Set objMyRequest = New MyRequest
strCookieCart = objMyRequest.Cookies("cart")

I've tested above with many failed requests I've logged and it works great.

0


source


The above script is not optimized, it is too slow. Perhaps it would be better to use "HTTP_COOKIE" only to access cookies from your own site, not?

0


source






More articles:


All Articles