Code Highlighting

Monday, August 6, 2012

European cookie law and classic asp

The EU cookie law is being rolled out as we speak. The Netherlands specifically have already passed the necessary national laws, and dutch websites are already being checked for compliance (even though violations will only yield a warning, not a fine yet).
Those of us who have classic asp legacy sites may have noticed something disconcerting in dealing with this: there is no way to disable session cookies in asp on a per-request basis. You can disable asp sessions altogether for your entire application, and there is an option to disable the session for a single page (but session cookies will still be sent ). Your configuration may be different, but for what it's worth, here's what has worked for us:
You'll need:
  • ASP.NET on your server,
  • IIS 7 or higher, and
  • your application pool in integrated mode
The more perceptive of you will have already figured out where this is going. I am simply going to have ASP.NET remove the cookies the asp handler generates. I wrote a class CookieMonsterModule (because it eats cookies, see?) that checks for a custom header, and removes the cookies if it can't find that header:

using System;
using System.Web;

namespace Tabeoka.CookieMonster
    public class CookieMonsterModule : IHttpModule
        public void Dispose() { }

        public void Init(HttpApplication context)
            context.PostRequestHandlerExecute += new EventHandler(CheckEnableCookies);

        public static void CheckEnableCookies(object sender, EventArgs e)
            var response = HttpContext.Current.Response;

            if (!"true".Equals(response.Headers["enablecookies"]))
                // Yum Yum

As you can see, all you need to have cookies make it through, is set the 'enablecookies' header to true:

<%@Language=Javascript %>

Response.AddHeader("enablecookies", "true");

I have made a neat little package at . It includes a minimal web.config that loads the httpmodule, and the dll itself. You can just copy it into the root of your classic asp app, and start using it (given your configuration meets the requirements). Feel free to take the idea and run with it.


No comments:

Post a Comment