传统ASP对"SameSite"的使用在饼干上 [英] Classic ASP use of "SameSite" on cookies

问题描述

我们正在使用Classic ASP通过Response.Cookies(" CookieName ")来构建Cookie.我们将如何设置"SameSite"?都没有?

We're using Classic ASP to construct our cookies via Response.Cookies( "CookieName" ). How would we go about setting "SameSite" to none?

推荐答案

尝试一下(您需要安装URLRewrite模块).您还需要使用https协议(SameSite仅在还包含Secure的情况下有效，并且如果不使用https协议就不能包含Secure). HttpOnly也应始终使用，但是如果您的站点上有一些需要读取Cookie的JavaScript代码，则HttpOnly可以防止这种情况.

Try this (you need the URLRewrite module installed). You also need to be using the https protocol (SameSite only works if Secure is also included, and you can't include Secure without using the https protocol). HttpOnly should always be used too, but if you have some JavaScript code on your site that needs to read cookies, HttpOnly will prevent that.

您可能还需要添加"HTTP_COOKIE"到允许的服务器变量"；在IIS中的URLRewrite下.但是我认为那只是为了读取传入的Cookie.

You also might need to add "HTTP_COOKIE" to the "allowed server variables" in IIS under URLRewrite. But I think that's just for reading incoming cookies.

经过尝试和测试，完美运行.

Tried and tested, works perfectly.

注意:如果您已经在使用Response.Cookies("CookieName").Secure = True，它将两次将Secure添加到响应标头值中(除非您从动作重写值中删除Secure)，两次被包含不成问题，但是某些浏览器可能会对此类事情大惊小怪，尤其是Chrome浏览器，因为Google继续采用严格的Cookie规则来执行越来越多的更新.

Note: If you're already using Response.Cookies("CookieName").Secure = True, it will add Secure to the response header value twice (unless you remove Secure from the action rewrite value), being included twice shouldn't be an issue, but some browsers can be fussy with stuff like that, especially Chrome as Google continues to role out more and more updates with stricter cookies rules.

httpProtocol > customHeaders部分是完全可选的，但是它将为您的站点增加更多的安全性.

The httpProtocol > customHeaders section is completely optional, but it will add more security to your site.

web.config

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
        <outboundRules>
            <rule name="SameSite rewrite">
                <match serverVariable="RESPONSE_Set_Cookie" pattern="(.*)=(.*)" negate="false" />
                <action type="Rewrite" value="{R:1}={R:2}; SameSite=None; HttpOnly; Secure" />
            </rule>     
        </outboundRules>
    </rewrite>
    <httpProtocol>
      <customHeaders>
        <add name="X-Frame-Options" value="SAMEORIGIN" />
        <add name="X-Content-Type-Options" value="nosniff" />
        <add name="X-XSS-Protection" value="1; mode=block" />
        <add name="Referrer-Policy" value="strict-origin" />
        <add name="Strict-Transport-Security" value="max-age=31536000" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

这篇关于传统ASP对"SameSite"的使用在饼干上的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！