Search code examples
vbscriptasp-classic

Classic Asp cookie expires date does not always get set

I am trying to set cookie with addheader -method in Classic Asp which is the only way of adding among other things HttpOnly and Secure -flags to cookies. All work with the below code - but there is one exception and its is the expiration date/time.

<%
Response.AddHeader "Set-Cookie", "testCookie=2000; path=/;HttpOnly;Secure;expires=" & dateAdd("d", 365, Now()) & ";samesite=Strict;HostOnly"
%>

However, it seems to be browser-related issue. In firefox I can see in the Storage tab of developer tools that expiration time is set. But in Chrome it always stays as the default which is the expiration with the end of session. This same issue is with the Edge too.

Has anyone any experience with this issue?

Solution

  • The expected date format is documented here. You need to produce expiration date in that manner.

    In Classic ASP, you can use server-side JavaScript to produce such dates easily.

    <!--#include file="HTTPDate.asp"-->
<%
Response.AddHeader "Set-Cookie", "testCookie=2000; path=/;HttpOnly;Secure;expires=" & HTTPDate(DateAdd("d", 365, Now())) & ";samesite=Strict;HostOnly"
%>

    HTTPDate.asp

    <script language="javascript" runat="server">
function HTTPDate(vbsDate){
    return (new Date(vbsDate)).toGMTString().replace(/UTC/, "GMT");
}
</script>

    Edit: Pure VBScript solution added.

    <%
Function CurrentTZO()
    With CreateObject("WScript.Shell") 
        CurrentTZO = .RegRead( _ 
        "HKLM\System\CurrentControlSet\Control\TimeZoneInformation\ActiveTimeBias")
    End With
End Function

Function Pad(text)
    Pad = Right("00" & text, 2)
End Function

Function HTTPDate(ByVal localDate)
    localDate = DateAdd("n", CurrentTZO(), localDate)

    ' WeekdayName and MonthName functions relies on locale
    ' need to produce day and month name abbreviations in en-US locale
    Dim locale : locale = SetLocale("en-US")

    Dim out(5)
    out(0) = WeekdayName(Weekday(localDate), True) & ","
    out(1) = Pad(Day(localDate))
    out(2) = MonthName(Month(localDate), True)
    out(3) = Year(localDate)
    out(4) = Join(Array(Pad(Hour(localDate)), Pad(Minute(localDate)), Pad(Second(localDate))), ":")
    out(5) = "GMT"

    SetLocale locale ' set original locale back 

    HTTPDate = Join(out, " ")
End Function

Response.AddHeader "Set-Cookie", "testCookie=2000; path=/;HttpOnly;Secure;expires=" & HTTPDate(DateAdd("d", 365, Now())) & ";samesite=Strict;HostOnly"
%>