有什么办法来删除从C＃Selenium测试的仅Http饼干吗？ [英] Is there any way to delete an HttpOnly cookie from C# Selenium tests?

问题描述

我有一组需要删除具有的HttpOnly标志设置cookie C＃Selenium测试。

I have a set of C# Selenium tests that need to delete a cookie that has the HttpOnly flag set.

不幸的是， DefaultSelenium.GetCookie（）和 DefaultSelenium.DeleteCookie（）命令无法访问饼干，因为它具有的HttpOnly标志设置。我已经删除了手旗，并检查后续要么这些方法的调用都是那么兴高采烈地能够操纵问题的饼干证实了这一点。

Unfortunately the DefaultSelenium.GetCookie() and DefaultSelenium.DeleteCookie() commands aren't able to access the cookie, because it has that HttpOnly flag set. I've confirmed this by removing the flag by hand, and checking that subsequent calls to either of those methods are then happily able to manipulate the cookie in question.

是否有任何其他方式通过硒.NET客户端驱动程序来做到这一点？

Is there any other way to do this via the Selenium .NET client driver?

所有的想法表示欢迎！

推荐答案

既然我无法通过客户端驱动程序要做到这一点，我必须找到一种替代方法。幸运的是，测试中的Web应用程序有一个选择的测试页面，允许使用会话cookie（即中HTTPOnly饼干我试图访问）互动，所以我能够通过自动化的页面，而不是实现我的目标。

Since I was unable to do this via the client driver, I had to find an alternative method. Fortunately, the web app under test has a selection of test pages that allow interaction with the session cookie (being the HttpOnly cookie I was trying to access) and so I was able to achieve my goal by automating those pages instead.

有关其他人认为遇到这​​个问题，有一个很好的<一个href=\"http://stackoverflow.com/questions/2247143/how-is-httponly-get-set-for-asp-net-sessionid-cookie/2247221#2247221\">SO回答这里了解仅Http是怎么烧入ASP.NET。

For anybody else that encounters this issue, there's a good SO answer here about how HttpOnly is burned into ASP.NET.

此外，<一个href=\"http://stackoverflow.com/questions/33529/how-exactly-do-you-configure-httponlycookies-in-asp-net/33541#33541\">this SO回答指出，如何仅Http可以通过应用程序的web.config文件进行操作，需要提醒的是它只能被打开，而不是关闭。

Additionally, this SO answer points out how HttpOnly can be manipulated via the app's web.config, with the caveat that it can only be turned on, not off.

任何人都愿意改变他们的应用程序用于测试目的应该检查出的此变通，基本上改变在session_start方法在Global.asax中剥离出来的HttpOnly标志，以便对客户端脚本访问。这种解决方法应该仅在测试环境中使用但是，因为它打开一个仅Http引入关闭安全漏洞 - 即XSS漏洞。杰夫阿特伍德写了一篇很好的博客文章在这里 。

Anybody willing to alter their application for testing purposes should check out this workaround, basically altering the Session_Start method in Global.asax to strip out the HttpOnly flag so that is accessible to client script. This kind of workaround should only be used in a test environment however, as it opens the security hole that HttpOnly was introduced to close - namely a XSS vulnerability. Jeff Atwood wrote a good blog post about it here.

这篇关于有什么办法来删除从C＃Selenium测试的仅Http饼干吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！