在Asp.Net中在安全中启用HTTPOnly [英] Enabling HTTPOnly in Secure in Asp.Net

问题描述

我们已经为我们的站点启用了HttpOnly.

We have enabled HttpOnly for our site.

<configuration>
    <system.web>
        <httpCookies httpOnlyCookies="true" requireSSL="true" />
    </system.web>
</configuration>

当我们访问非安全区域的网站时，此方法工作正常.但是在安全活动区域(Https)中，此方法不起作用，我们能够获取会话密钥.如何减轻它.任何有帮助的想法.

This is working fine, when we accessing the site in non-secure region. But in Secure live region(Https), this is not working and we able to get the session keys. how to mitigate it. any idea whould be much helpful.

我正在Asp.Net 2.0中尝试

Im trying in Asp.Net 2.0

推荐答案

我在这里有很多解决方案..随时在满足您需求的这些解决方案中进行选择

I have bunch of solutions here dude.. Just feel free to choose among these solutions which caters your needs

• 在Global.asax中，如下覆盖Session_Start方法.

• In Global.asax, overwrite the Session_Start method as follows.

<script runat="server">       
 void Session_Start(object sender, EventArgs e) 
{

    if(Response.Cookies.Count > 0)
    foreach(string s in Response.Cookies.AllKeys)
     if(s == System.Web.Security.FormsAuthentication.FormsCookieName ||
            s.ToLower().Equals("asp.net_sessionid") )
    Response.Cookies[s].HttpOnly = false;

}

参考: http://nerd.steveferson.com/2007/09/14/act-sessionid-and-login-problems-with-asp-net-20/#.URiXUqWzd9c

reference:http://nerd.steveferson.com/2007/09/14/act-sessionid-and-login-problems-with-asp-net-20/#.URiXUqWzd9c

• 请注意，在ASP.NET 1.1中，System.Net.Cookie类不支持HttpOnly属性.因此，要将HttpOnly属性添加到Cookie，您可以将以下代码添加到应用程序的

• Note that in ASP.NET 1.1 the System.Net.Cookie class does not support the HttpOnly property. Therefore, to add an HttpOnly attribute to the cookie you could add the following code to your application's

Global.asax中的Application_EndRequest事件处理程序:

Application_EndRequest event handler in Global.asax:

protected void Application_EndRequest(Object sender, EventArgs e)
{
  string authCookie = FormsAuthentication.FormsCookieName;

  foreach (string sCookie in Response.Cookies)
  {
        if (sCookie.Equals(authCookie))
        {
              Response.Cookies[sCookie].Path += ";HttpOnly";
        }
  }
}

参考: http://blogs.msdn.com/b/dansellers/archive/2006/03/13/550947.aspx

reference: http://blogs.msdn.com/b/dansellers/archive/2006/03/13/550947.aspx

• 将此添加到您的Global.asax

• Add this to your Global.asax

void Application_EndRequest(Object sender, EventArgs e)
{
   if (Response.Cookies.Count > 0)
   {
       foreach (string s in Response.Cookies.AllKeys)
       {
           if (s == "ASP.NET_SessionId")
           {
               Response.Cookies["ASP.NET_SessionId"].HttpOnly = false;
           }
       }
   }

}

参考:从此论坛 http://forums.asp.net/p/955272/1177574.aspx#1177574

您也可以尝试Scott Hanselman撰写的这篇 HttpOnly Cookies on ASP.NET 1.1 ，但它的ASP.NET 1.1

reference: from this forum http://forums.asp.net/p/955272/1177574.aspx#1177574

You could also try this Post HttpOnly Cookies on ASP.NET 1.1 by Scott Hanselman but its ASP.NET 1.1

这篇关于在Asp.Net中在安全中启用HTTPOnly的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！