Cookie 和 ASP.NET 核心 [英] Cookies and ASP.NET Core
问题描述
这可能是一个简单的问题,我希望至少是这样.
This might be a simple question, I'm hoping it is at least.
我已经开始研究 ASP.NET Core 的候选发布版本,我可以看到很多配置已从旧的 web.config 文件中移出并移到 JSON 结构化文件(以及 XML 和您可能想自己编写的任何其他中间件).
我还没有想出如何做的一件事是在旧的 web.config 方法中如此简单的事情,保护您网站的一些基本组件,如 cookie.
I've started to look into the Release Candidate of ASP.NET Core and I can see that a lot of the configuration has been moved out of the old web.config file and into JSON structured files (as well as XML and any other middleware that you might want to write yourself).
The one thing I haven't yet figured out how to do is something that was so simple in the old web.config approach, securing some of the basic components of your site like cookies.
以前我们会在 web.config 中设置 secure、httpOnly 等,当涉及到部署时,一个漂亮的小转换文件会为我们修改这些值并在最后吐出新文件.仔细阅读后,似乎 web.config 现在几乎已经死了,那么我们如何实现相同的结果?
Previously we'd set the secure, httpOnly and so on inside web.config and when it came to deployment a nice little transform file would modify the values for us and spit out the new file at the end. After reading round a bit, it seems that web.config is pretty much dead now, so how do we go about achieving the same results?
我知道我们可以根据某些变量(例如环境)是否设置为 DEV、STAGING、PRODUCTION 等来加载不同的配置文件,但这似乎只是将转换替换为适用于所有意图和目的的转换除了它的实际加载方式?
I know we can load different config files based on whether certain variables, such as environment, are set to DEV, STAGING, PRODUCTION etc. but this seems to be just replacing transforms with something that is a transform for all intents and purposes except in how it's actually loaded?
我是否在这里遗漏了一些东西,或者我是否设法把自己弄得一团糟?
Have I missed something here or have I managed to work myself into a bit of a mess?
推荐答案
对于在应用程序中手动创建的通用 cookie,您可以在创建时控制安全标志 - 例如:
For a general cookie manually created within your application, you control the flags for security when creating it - for example:
Response.Cookies.Append(
"COOKIE_NAME",
"COOKIE_VALUE",
new CookieOptions()
{
Path = "/",
HttpOnly = false,
Secure = false
}
);
此处,将 HttpOnly 设置为 true 将阻止客户端 JS 访问 cookie vlaue,而将 Secure 设置为 true 将仅允许通过 HTTPS 提供/接收 cookie.
Here, setting HttpOnly to true would prevent client-side JS from accessing the cookie vlaue, and setting Secure to true would only allow the cookie to be served/received over HTTPS.
向响应添加 cookie 时不会应用任何默认值,如 ResponseCookies 类的源代码.
No defaults are applied when you add cookies to the response, as can be seen in the source code for the ResponseCookies class.
对于创建和使用自己的 cookie 的各种中间件(如您在回答中提到的 Session 中间件),它们可能有自己的配置选项,这些选项将控制它们自己创建的 cookie 的这些标志,但这将对您在应用程序其他地方创建的 cookie 没有任何影响.
For the various middlewares that create and consume their own cookies (like the Session middleware that you have mentioned in your answer), they may have their own configuration options that will control these flags for those cookies they create themselves, but this will make no difference to cookies you create elsewhere in your application.
这篇关于Cookie 和 ASP.NET 核心的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
