IE保护模式+ SSL登录=非SSL页面没有cookie [英] IE Protected Mode + SSL Login = No cookie for non-SSL pages

问题描述

(FWIW，我也已将此问题发布到我的博客中: http://blog.wolffmyren.com/2011/07/11/ie-protected-mode-ssl/)

(FWIW, I've posted this question to my blog as well: http://blog.wolffmyren.com/2011/07/11/ie-protected-mode-ssl/)

有没有人知道如何解决Internet Explorer保护模式的限制而无需最终用户将我们的网站添加到受信任的站点"列表中?

Does anyone know how to work around Internet Explorer Protected Mode limitations without requiring the end-user to add our site to the Trusted Sites list?

问题在于，如果我们为站点启用SSL登录，则它们只能访问SSL页面. IE阻止我们非SSL服务的页面访问在SSL会话期间创建的cookie，因此我们可以通过SSL(非常昂贵/资源密集型)提供所有服务，或者找到某种方式设置SSL 和在登录过程中使用非SSL cookie.

The problem is that if we enable SSL logins for our site, they can only access SSL pages. IE prevents our non-SSL served pages from accessing the cookie created during the SSL session, so we can either serve everything via SSL (very expensive/resource-intensi​ve), or find some way to set an SSL and non-SSL cookie during the login process.

这篇MSDN文章(ielowutil.exe与Internet Explorer 8.0有什么关系?)提供了我已经找到的最相关的信息，但是它讨论了使用Windows API的问题，并且我正在寻找可以实现的解决方案使用ASP.NET，JavaScript或其他交付良好的解决方案.

This MSDN article (What does ielowutil.exe have to do with Internet Explorer 8.0?) has the most relevant information I’ve found yet, but it discusses using Windows APIs, and I’m looking for a solution I can implement with ASP.NET, JavaScript, or some other well-delivered solution.

更新:我的一个朋友分享了这些链接，希望他们能为您提供帮助:

Update: A friend of mine shared these links, hopefully they'll help:

• http://www.leastprivilege.com/PartiallySSLSecuredWebAppsWithASPNET.aspx
• ASP.NET Webforms中的部分SSL无需更改IIS配置

• http://www.leastprivilege.com/PartiallySSLSecuredWebAppsWithASPNET.aspx
• Partial SSL in ASP.NET Webforms without changing IIS configuration

推荐答案

正如Bruno所说，您应该检查一下Cookie上是否设置了SECURE属性(使用F12开发人员工具或Fiddler).如果是这样，您将在所有浏览器上看到此行为.

As Bruno alludes, you should check to see with the SECURE attribute is being set on your cookies (use the F12 developer tools or Fiddler). If it is, you'll see this behavior on ALL browsers.

如果没有，那么问题很可能是您在受信任的区域"和 http://whatever.com 也不在受信任的区域"中.如果是您的配置，那么是的，保护模式是问题的根本原因，我在这里已对其进行了更完整的解释:

If not, then the problem is quite likely that you have in the Trusted Zone and http://whatever.com isn't also in the Trusted Zone. If that's your configuration, then yes, Protected Mode is the root cause of the issue, which I've explained much more completely here:

http://blogs.msdn.com/b/ieinternals/archive/2011/03/10/internet-explorer-beware-cookie-sharing-in-cross-zone-scenarios.aspx

这篇关于IE保护模式+ SSL登录=非SSL页面没有cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！