使用IIS重写将HttpOnly标志添加到Cookie不起作用 [英] Using IIS Rewrite to add HttpOnly Flag To Cookies Not Working
问题描述
我发现了许多将HttpOnly添加到我的cookie中的例子,但它对我不起作用,我不知道为什么。我找到的所有例子都是一样的,我从我找到的一个帖子中复制了这个例子。我在IIS 7.0下使用.NET 3.5。希望有人可以告诉我我做错了什么?谢谢
< rewrite>
< outboundRules>
< rule name =Add HttpOnlypreCondition =No HttpOnly>
< match serverVariable =RESPONSE_Set_Cookiepattern =。*negate =false/>
< action type =Rewritevalue ={R:0}; HttpOnly/>
< conditions>
< / conditions>
< / rule>
< preConditions>
< preCondition name =No HttpOnly>
< add input ={RESPONSE_Set_Cookie}pattern =。 />
< add input ={RESPONSE_Set_Cookie}pattern =; HttpOnlynegate =true/>
< / preCondition>
< / preConditions>
< / outboundRules>
< / rewrite>
更新
<我想出了如何打开跟踪,发现preCondition正在查看所有cookie,而不是每个cookie。
所以不要评估
Set-Cookie:myC5 = we有S Cookie;路径= /;安全
Set-Cookie:myC6 =我们有S Cookie;路径= /;安全
Set-Cookie:myC7 =我们有S Cookie;路径= /;安全; HttpOnly
正在评估
myC5 =我们有S Cookie;路径= /;安全,myC6 =我们有S Cookie;路径= /;安全,myC7 =我们有S Cookie;路径= /;安全; HttpOnly
由于整个字符串有; HttpOnly在其中,preCondition失败。
我如何通过这个?任何想法?
我终于通过了这个,所以我想发布可能遇到此问题的其他人。我删除了我的preConditions并且只使用了条件。然后我不得不使用后向引用来获取单个cookie。
< rewrite>
< outboundRules>
< rule name =Add HttpOnly>
< match serverVariable =RESPONSE_Set_Cookiepattern =。*/>
< conditions>
< add input ={R:0}pattern =; HttpOnlynegate =true/>
< / conditions>
< action type =Rewritevalue ={R:0}; HttpOnly/>
< / rule>
< rule name =Add Secure>
< match serverVariable =RESPONSE_Set_Cookiepattern =。*/>
< conditions>
< add input ={R:0}pattern =; Securenegate =true/>
< / conditions>
< action type =Rewritevalue ={R:0}; Secure/>
< / rule>
< / outboundRules>
< / rewrite>
希望这可以帮助将来的某个人。
I found numerous examples of adding the HttpOnly to my cookies but it does not work for me and I am not sure why. All the examples I found were the same and I copied this one from one of the posts that I had found. I am using .NET 3.5 under IIS 7.0. Hopefully someone can tell me what I am doing wrong? Thanks
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
UPDATE
I figured out how to turn on tracing and found that the preCondition is looking at all the cookies as a whole instead of each individual cookie.
So instead of evaluating
Set-Cookie: myC5=we have S Cookie; path=/; secure
Set-Cookie: myC6=we have S Cookie; path=/; secure
Set-Cookie: myC7=we have S Cookie; path=/; secure; HttpOnly
It is evaluating
myC5=we have S Cookie; path=/; secure,myC6=we have S Cookie; path=/; secure,myC7=we have S Cookie; path=/; secure; HttpOnly
Since the whole string has ; HttpOnly in it, the preCondition fails.
How do I get past this? Any ideas?
I finally got pass this so I wanted to post for others that might run into this. I removed my preConditions and just used conditions. I then had to use the back reference to get to the single cookie.
<rewrite>
<outboundRules>
<rule name="Add HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
<conditions>
<add input="{R:0}" pattern="; HttpOnly" negate="true" />
</conditions>
<action type="Rewrite" value="{R:0}; HttpOnly" />
</rule>
<rule name="Add Secure">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
<conditions>
<add input="{R:0}" pattern="; Secure" negate="true" />
</conditions>
<action type="Rewrite" value="{R:0}; Secure" />
</rule>
</outboundRules>
</rewrite>
Hope this helps someone in the future.
这篇关于使用IIS重写将HttpOnly标志添加到Cookie不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
