使用ExecuteURL在web.config中404处理器,而使用其他responseModes将绕过URL重写(即.. outboundRules)将不会 [英] Using ExecuteURL as 404 handler in web.config will bypass URL Rewrite (ie.. outboundRules) while using other responseModes won't
问题描述
我在web.config中的以下规则设计来识别和改写出站会话cookie都的安全的和的仅Http 的标志:
I have the following rule in web.config designed to identify and rewrite outbound session cookies with both the secure and httpOnly flags:
<rewrite>
<outboundRules>
<preConditions>
<preCondition name="MatchSessionCookies">
<add input="{RESPONSE_SET_COOKIE}" pattern="." />
</preCondition>
</preConditions>
<rule preCondition="MatchSessionCookies" name="SecureSessionCookies" enabled="true">
<match serverVariable="RESPONSE_SET_COOKIE" pattern="^(.*sess.*)=(.+)$" />
<action type="Rewrite" value="{R:1}={R:2}; httpOnly; secure" />
</rule>
</outboundRules>
</rewrite>
这如预期运作,直到httpErrors发挥作用的:
This works as intended, up until httpErrors comes into play:
<httpErrors>
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" prefixLanguageFilePath="" path="/path/to/404.aspx" responseMode="ExecuteURL" />
</httpErrors>
所以访问 /a-page-that-exists.aspx 时,即得到写出出站ASPSESSIONID饼干成功既重写安全和仅Http 的标志。
So when accessing /a-page-that-exists.aspx, the outbound ASPSESSIONID cookies that get written out are successfully rewritten with both secure and httpOnly flags.
Request URL: /a-page-that-exists.aspx
Status Code: 200 OK
Set-Cookie: ASPSESSIONIDABCDEFG=...; path=/; httpOnly; secure
问题是访问 /a-page-that-does-NOT-exist.aspx 。看来,[404]内部要求全军覆没的 ExecuteURL 路径是和我的URL重写规则,我在的地方是完全跳过。
The problem is accessing /a-page-that-does-NOT-exist.aspx. It appears that the [404] request is internally "routed" to the ExecuteURL path and my URL rewrite rules I have in place are bypassed altogether.
Request URL: /a-page-that-does-NOT-exist.aspx
Status Code: 200 OK
Set-Cookie: ASPSESSIONIDABCDEFG=...; path=/
这使他们可以应用到[404]的要求如何修改我的出站重写规则,任何想法是霸道的,以我404处理器之前?
Any ideas on how to modify my outbound rewrite rules so that they can be applied to [404] requests before being handed of to my 404 handler?
推荐答案
好了,看起来我们不得不凑合着IIS的URL重写版本&LT; httpErrors /&GT; 的处理程序,但它的作品:
Well, it looks like we have to make do with a URL Rewrite version of IIS <httpErrors /> handler, but it works:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<!-- Remove existing 404 handler -->
<httpErrors>
<remove statusCode="404" subStatusCode="-1" />
</httpErrors>
<rewrite>
<outboundRules>
<preConditions>
<preCondition name="MatchSessionCookies">
<add input="{RESPONSE_SET_COOKIE}" pattern="." />
</preCondition>
</preConditions>
<!-- Does NOT work with ExecuteURL 404 handler -->
<rule preCondition="MatchSessionCookies" name="SecureSessionCookies" enabled="true">
<match serverVariable="RESPONSE_SET_COOKIE" pattern="^(gsm|.*sess.*)=(.+)$" />
<action type="Rewrite" value="{R:1}={R:2}; httpOnly; secure" />
</rule>
</outboundRules>
<rules>
<!-- Re-implement ExecuteURL 404 handler as URL Rewrite -->
<rule name="Handle404" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAny">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
</conditions>
<action type="Rewrite" url="/path/to/404.aspx?404;{PreserveSchema:{HTTPS}}{HTTP_HOST}{UNENCODED_URL}" />
</rule>
</rules>
<rewriteMaps>
<!-- http://stackoverflow.com/a/10227936/901156 -->
<rewriteMap name="PreserveSchema" defaultValue="OFF">
<add key="ON" value="https://" />
<add key="OFF" value="http://" />
</rewriteMap>
</rewriteMaps>
</rewrite>
</system.webServer>
</configuration>
和响应:
Request URL: /a-page-that-does-NOT-exist.aspx
Status Code: 200 OK
Set-Cookie: ASPSESSIONIDABCDEFG=...; path=/; httpOnly; secure
这篇关于使用ExecuteURL在web.config中404处理器,而使用其他responseModes将绕过URL重写(即.. outboundRules)将不会的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
