是否有可能以纪念饼干ASP.NET_sessionID为安全 [英] Is it possible to mark the cookie ASP.NET_sessionID as secure

问题描述

安全审核后，我设置cookie ASP.NET_sessionID为安全的要求。

After a security audit I got the requirement to set the cookie ASP.NET_sessionID as "secure".

眼下不设置标志。

我可以使用SessionIDManager将其设置为安全？我已经在使用本code登录后更改会话cookie的值：

Can I use SessionIDManager to set it as secure? I am already using it to change the value of the Session cookie after logging in with this code:

            System.Web.SessionState.SessionIDManager manager = new System.Web.SessionState.SessionIDManager();
            string oldId = manager.GetSessionID(System.Web.HttpContext.Current);
            string newId = manager.CreateSessionID(System.Web.HttpContext.Current);
            bool isAdd = false, isRedir = false;
            manager.SaveSessionID(System.Web.HttpContext.Current, newId, out isRedir, out isAdd);

修改

我看到了，我可以设置

<httpCookies httpOnlyCookies="false" requireSSL="true" />

但我只希望有这样一个cookie中的安全

But I only want to have this one cookie secure

推荐答案

这应使您能够设置Cookie的安全：

This should enable you to set the cookie as secure:

void Application_EndRequest(object sender, EventArgs e)
{
    var sessionCookieKey = Response.Cookies.AllKeys.SingleOrDefault(c => c.ToLower() == "asp.net_sessionid");
    var sessionCookie = Response.Cookies.Get(sessionCookieKey);
    if(sessionCookie != null)
    {
        sessionCookie.Secure = true;
    }
}

这篇关于是否有可能以纪念饼干ASP.NET_sessionID为安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！