Error accessing cookies when the cookie is unnamed
On some of the classic ASP websites I've been managing over the past few days, I get error notifications (no error number) that always show an error in the line number where the cookie value is requested.
Looking at the request for each of these errors, they all have unusual cookies and look like a hack attempt.
Lines marked as causing an error look like this:
strCookieCart = Request.Cookies("cart")
Here's a couple of cookie samples being sent (truncated) ... Note =true
(no name, just value).
HTTP_COOKIE:=true; yuv=u97Yoe-o0UWp7ho_vaB2csT-xxaQ37gMWzhB1MARTSNk1QKpjJTXmZYMRQ095rM96MaNbhx1tEdJ
HTTP_COOKIE:pll_language=en; =true; yandexuid=6536735381437958890; st=6c9838994ffb
Is Classic ASP incapable of handling this? Is there a way to avoid these errors and ignore the bad values? Could they always be hacking attempts or could there be legitimate requests without cookie names?
I guess I can check what they are looking at Request.ServerVariables("HTTP_COOKIE")
by manually parsing or using a regex check of some sort. Does anyone else do this? Any exchange code?
source to share
The second answer to my question and the solution I have now followed is to add the following code to my general include file.
It checks if Classic ASP can read cookies and, using error trapping, terminates the response if an error is encountered.
On Error Resume Next
Request.Cookies("test")
If Err.Number <> 0 Then Response.End
On Error Goto 0
This is the best solution for my other answer as there is no point in creating a page for what is obviously an attack of some kind, so the script ends as soon as possible.
source to share
My suggested answer to my question is to create a class that retrieves all valid keys and values ββfor cookies on initialization, and has a function to return a value for a specified key.
Unfortunately this doesn't work for cookies containing a set of multiple values, but I don't use them at all.
Here is the class:
<%
Class MyRequest
Private m_objCookies
Private Sub Class_Initialize()
Dim strCookies, i, strChar, strName, strValue, blnInValue
strCookies = Request.ServerVariables("HTTP_COOKIE")
Set m_objCookies = Server.CreateObject("Scripting.Dictionary")
i = 1
strName = ""
strValue = ""
blnInValue = False
Do
strChar = Mid(strCookies, i, 1)
If strChar = ";" Or i = Len(strCookies) Then
strValue = Trim(strValue)
If strName <> "" And strValue <> "" Then
If m_objCookies.Exists(strName) Then
m_objCookies.Item(strName) = strValue
Else
m_objCookies.Add strName, strValue
End If
End If
If i = Len(strCookies) Then Exit Do
strName = ""
strValue = ""
blnInValue = False
ElseIf strChar = "=" Then
strName = Trim(strName)
blnInValue = True
ElseIf blnInValue Then
strValue = strValue & strChar
Else
strName = strName & strChar
End If
i = i + 1
Loop
End Sub
Public Function Cookies(strKey)
Cookies = m_objCookies.Item(strKey)
End Function
End Class
%>
The changes in my code to use this class are minimal. Where am I currently ...
strCookieCart = Request.Cookies("cart")
I will need to change ...
Dim objMyRequest : Set objMyRequest = New MyRequest
strCookieCart = objMyRequest.Cookies("cart")
I've tested above with many failed requests I've logged and it works great.
source to share