Error when accessing cookies when a cookies without a name exists

Question

On a few of the Classic ASP websites I manage for the last few days I have been getting some error notifications (with no error number) that always show an error on a line number where a cookie value is being requested.

Looking at the request for each of these errors, they all have unusual cookies, and look like some sort of hack attempt.

The lines that are indicated as causing the error are all like this:

strCookieCart = Request.Cookies("cart")

Here's a couple of samples of the cookies being sent (truncated)... Note the =true (no name, just a value).

HTTP_COOKIE:=true; yuv=u97Yoe-o0UWp7ho_vaB2csT-xxaQ37gMWzhB1MARTSNk1QKpjJTXmZYMRQ095rM96MaNbhx1tEdJ

HTTP_COOKIE:pll_language=en; =true; yandexuid=6536735381437958890; st=6c9838994ffb

Is Classic ASP incapable of handling these? Is there any way to avoid these errors and ignore the bad values? Are these always likely to be hack attempts or could there be legitimate requests without cookie names?

I suppose I could check for these looking at Request.ServerVariables("HTTP_COOKIE") by manually parsing or using a regular expression check of some sort. Does anyone else do this? Any code to share?

Answer 1

A second answer to my own question and the solution I have now implemented is to add the following code to my common include file.

It tests whether Classic ASP can read the cookies and, using error trapping, ends the response if an error is detected.

On Error Resume Next
Request.Cookies("test")
If Err.Number <> 0 Then Response.End
On Error Goto 0

This is a better solution to my other answer as there is no point in generating a page for what is obviously an attack of some sort so ending the script as soon as possible is a better choice.

Answer 2

My proposed answer to my own question is to create a class that extracts all the valid keys and values for the cookies on initialisation, and has a function to return a value for a specified key.

Unfortunately it doesn't work for cookies that contain a collection of multiple values, but I don't generally use these anyway.

Here is the class:

<%
Class MyRequest
    Private m_objCookies

    Private Sub Class_Initialize()
        Dim strCookies, i, strChar, strName, strValue, blnInValue
        strCookies = Request.ServerVariables("HTTP_COOKIE")
        Set m_objCookies = Server.CreateObject("Scripting.Dictionary")
        i = 1
        strName = ""
        strValue = ""
        blnInValue = False
        Do
            strChar = Mid(strCookies, i, 1)
            If strChar = ";" Or i = Len(strCookies) Then
                strValue = Trim(strValue)
                If strName <> "" And strValue <> "" Then
                    If m_objCookies.Exists(strName) Then
                        m_objCookies.Item(strName) = strValue
                    Else
                        m_objCookies.Add strName, strValue
                    End If
                End If
                If i = Len(strCookies) Then Exit Do 
                strName = ""
                strValue = ""
                blnInValue = False
            ElseIf strChar = "=" Then
                strName = Trim(strName)
                blnInValue = True
            ElseIf blnInValue Then
                strValue = strValue & strChar
            Else
                strName = strName & strChar
            End If
            i = i + 1
        Loop
    End Sub

    Public Function Cookies(strKey)
        Cookies = m_objCookies.Item(strKey)
    End Function
End Class
%>

The changes to my code to use this class are minimal. Where I currently have...

strCookieCart = Request.Cookies("cart")

I will need to change to...

Dim objMyRequest : Set objMyRequest = New MyRequest
strCookieCart = objMyRequest.Cookies("cart")

I have tested the above with many of the bad requests I have logged and it works fine.