“SameSite"的经典 ASP 使用关于饼干 [英] Classic ASP use of "SameSite" on cookies

问题描述

我们使用 Classic ASP 通过 Response.Cookies(CookieName") 构建我们的 cookie.我们将如何设置SameSite"?没有?

We're using Classic ASP to construct our cookies via Response.Cookies( "CookieName" ). How would we go about setting "SameSite" to none?

推荐答案

试试这个(你需要安装 URLRewrite 模块).您还需要使用 https 协议(SameSite 仅在还包含 Secure 时才有效，并且您不能包含 Secure 而不使用https 协议).HttpOnly 也应始终使用，但如果您的网站上有一些 JavaScript 代码需要读取 cookie，则 HttpOnly 会阻止这种情况.

Try this (you need the URLRewrite module installed). You also need to be using the https protocol (SameSite only works if Secure is also included, and you can't include Secure without using the https protocol). HttpOnly should always be used too, but if you have some JavaScript code on your site that needs to read cookies, HttpOnly will prevent that.

您可能还需要添加HTTP_COOKIE"；到允许的服务器变量"在 IIS 下的 URLRewrite.但我认为这只是为了读取传入的 cookie.

You also might need to add "HTTP_COOKIE" to the "allowed server variables" in IIS under URLRewrite. But I think that's just for reading incoming cookies.

经过试验和测试，完美运行.

Tried and tested, works perfectly.

注意:如果您已经在使用 Response.Cookies("CookieName").Secure = True，它会将 Secure 添加到响应标头值两次(除非你从 action rewrite 值中删除 Secure )，被包含两次应该不是问题，但有些浏览器可能对这样的东西很挑剔，尤其是 Chrome，因为谷歌继续扮演越来越重要的角色更新更严格的 cookie 规则.

Note: If you're already using Response.Cookies("CookieName").Secure = True, it will add Secure to the response header value twice (unless you remove Secure from the action rewrite value), being included twice shouldn't be an issue, but some browsers can be fussy with stuff like that, especially Chrome as Google continues to role out more and more updates with stricter cookies rules.

http协议>customHeaders 部分是完全可选的，但它会为您的站点增加更多安全性.

The httpProtocol > customHeaders section is completely optional, but it will add more security to your site.

web.config

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
        <outboundRules>
            <rule name="SameSite rewrite">
                <match serverVariable="RESPONSE_Set_Cookie" pattern="(.*)=(.*)" negate="false" />
                <action type="Rewrite" value="{R:1}={R:2}; SameSite=None; HttpOnly; Secure" />
            </rule>     
        </outboundRules>
    </rewrite>
    <httpProtocol>
      <customHeaders>
        <add name="X-Frame-Options" value="SAMEORIGIN" />
        <add name="X-Content-Type-Options" value="nosniff" />
        <add name="X-XSS-Protection" value="1; mode=block" />
        <add name="Referrer-Policy" value="strict-origin" />
        <add name="Strict-Transport-Security" value="max-age=31536000" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

这篇关于“SameSite"的经典 ASP 使用关于饼干的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！