添加同一站点；在经典 ASP 中保护 Cookie [英] Adding Same-site; Secure to Cookies in Classic ASP

问题描述

我们正在运行一个经典的 ASP 网站，但在 Chrome 浏览器中存在 Cookie 问题.Chrome 正在强制安全地设置 cookie (

<%函数 FormatCookieDateTime(interval, value, tz)暗淡 dt: dt = DateAdd(interval, value, Date())暗淡 tm:tm = Time()暗淡的结果:result = WeekDayName(WeekDay(dt), True) &,"&_对(00"& Day(dt), 2) &——"&_MonthName(Month(dt), True) &——"&_年(dt) &""&_Right("00" & Hour(Time()), 2) &:"&_Right("00" & Minute(Time()), 2) &:"&_Right("00" & Second(Time()), 2) &""&茨FormatCookieDateTime = 结果结束功能Response.AddHeader "Set-Cookie", "TestCookie=This is a Test;路径=/;相同站点=无；安全的;过期="&FormatCookieDateTime(d", 1, GMT")%>

构建了一个函数，可以更轻松地使用正确的格式设置到期时间.

记住 Secure 用于安全连接

因为您正在设置两个 cookie (一个通过 AddHeader() 一个通过 Response.Cookie) 它可能不清楚，但如果连接不使用 HTTPS，则设置了 Secure 的第一个 cookie 将被 chrome 忽略.实际上，如果您在 Chrome 开发工具中查看请求，您应该会在 Set-Cookie 标头旁边看到一个警告符号，上面写着 (当鼠标悬停时)行数；

<块引用>

此 set-cookie 具有安全"属性.属性，但未通过安全连接接收.

We are running a classic ASP website, and having issues with Cookies in Chrome browser. Chrome is enforcing the cookie to be set securely (https://www.chromestatus.com/feature/5633521622188032)

We are setting a cookie as follows:

Response.AddHeader "Set-Cookie", "TestCookie=This is a Test; path=/; SameSite=None; Secure" 
Response.Cookies("TestCookie").Expires = Date + 1

However, this has issues with Chrome, where sessions end abruptly when a resource of a different domain is called.

Chrome's cookie details show this:

Send for
Same-site connections only

Note there is no mention of "secure" as I think there should be. What is the correct way of setting the Cookie in classic ASP for this?

解决方案

There is a problem with your current approach to setting the Response Cookie.

By using Response.Cookies after setting the header using Set-Cookie you are in effect creating a new empty cookie called "TestCookie". Instead, you want to incorporate the expiry into the existing Set-Cookie header.

Testing your code, this is the Response header contents:

<%
Function FormatCookieDateTime(interval, value, tz)
  Dim dt: dt = DateAdd(interval, value, Date())
  Dim tm: tm = Time()
  Dim result: result = WeekDayName(WeekDay(dt), True) & ", " & _
    Right("00" & Day(dt), 2) & "-" & _
    MonthName(Month(dt), True) & "-" & _
    Year(dt) & " " & _
    Right("00" & Hour(Time()), 2) & ":" & _
    Right("00" & Minute(Time()), 2) & ":" & _
    Right("00" & Second(Time()), 2) & " " & tz
  
  FormatCookieDateTime = result
End Function

Response.AddHeader "Set-Cookie", "TestCookie=This is a Test; path=/; SameSite=None; Secure; expires=" & FormatCookieDateTime("d", 1, "GMT")
%>

Built a function that makes setting the expiry using the correct format easier.

Remember Secure is for Secure Connections

Because you are setting two cookies (one via AddHeader() and one via Response.Cookie) it might not be clear but the first cookie with Secure set will be ignored by chrome if the connection is not using HTTPS. In fact, if you look at the request in Chrome Dev Tools you should see a warning symbol next to the Set-Cookie header that says (when hovered over) something along the lines of;

This set-cookie had the "Secure" attribute but was not received over a secure connection.

这篇关于添加同一站点；在经典 ASP 中保护 Cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！