如何为ASP.NET_SessionId cookie设置HttpOnly？ [英] How is HttpOnly get set for ASP.NET_SessionId cookie?

问题描述

在我的网络专案设定开启httpOnlyCookies 不是那里。默认情况下为false。另外，在代码中没有将cookie设置为HttpOnly的地方。但是，当我浏览到网站，我可以看到ASP.NET_Session cookie正在作为HttpOnly传递。如何设置为HttpOnly？

In my web project setting to turn on httpOnlyCookies is not there. It is false by default. Also there is no place in code where cookie is being set to HttpOnly. However, when I browse to the site I can see that ASP.NET_Session cookie is being passed as HttpOnly. How is it set to HttpOnly?

推荐答案

ASP.NET会话cookie只有HTTP，不管 httpOnlyCookies 设置链接到您的问题，因为这是烧写到ASP.NET。

ASP.NET session cookies are HTTP only, regardless of the httpOnlyCookies setting linked to in your question, because this is burned into ASP.NET. You can't override this.

如果您深入研究了 System.Web.SessionState.SessionIDManager System.Web汇编创建ASP.NET会话cookie的代码如下：

If you dig into the System.Web.SessionState.SessionIDManager class in the System.Web assembly the code for creating the ASP.NET session cookie looks like:

private static HttpCookie CreateSessionCookie(string id)
{
    HttpCookie cookie = new HttpCookie(Config.CookieName, id);
    cookie.Path = "/";
    cookie.HttpOnly = true;   // <-- burned in
    return cookie;
}

这篇关于如何为ASP.NET_SessionId cookie设置HttpOnly？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！