有没有办法从C＃Selenium测试删除HttpOnly cookie？ [英] Is there any way to delete an HttpOnly cookie from C# Selenium tests?

问题描述

我有一组C＃Selenium测试，需要删除已设置HttpOnly标记的Cookie。

I have a set of C# Selenium tests that need to delete a cookie that has the HttpOnly flag set.

不幸的是， DefaultSelenium.GetCookie （）和 DefaultSelenium.DeleteCookie（）命令无法访问cookie，因为它设置了HttpOnly标志。我已经通过手动删除标志来确认这一点，并且检查对这些方法中的任何一个的后续调用然后能够愉快地操纵有问题的cookie。

Unfortunately the DefaultSelenium.GetCookie() and DefaultSelenium.DeleteCookie() commands aren't able to access the cookie, because it has that HttpOnly flag set. I've confirmed this by removing the flag by hand, and checking that subsequent calls to either of those methods are then happily able to manipulate the cookie in question.

通过Selenium .NET客户端驱动程序执行此操作的任何其他方式？

Is there any other way to do this via the Selenium .NET client driver?

所有想法欢迎！

推荐答案

由于我无法通过客户端驱动程序这样做，我不得不找到一种替代方法。幸运的是，测试中的web应用程序有一些测试页面，允许与会话cookie（我尝试访问的HttpOnly cookie）进行交互，所以我能够通过自动化这些页面来实现我的目标。

Since I was unable to do this via the client driver, I had to find an alternative method. Fortunately, the web app under test has a selection of test pages that allow interaction with the session cookie (being the HttpOnly cookie I was trying to access) and so I was able to achieve my goal by automating those pages instead.

对于遇到此问题的任何其他人，有一个很好的这里回答关于HttpOnly如何被烧写到ASP.NET的问题。

For anybody else that encounters this issue, there's a good SO answer here about how HttpOnly is burned into ASP.NET.

href =http://stackoverflow.com/questions/33529/how-exactly-do-you-configure-httponlycookies-in-asp-net/33541#33541>这个SO回答指出如何HttpOnly可以

Additionally, this SO answer points out how HttpOnly can be manipulated via the app's web.config, with the caveat that it can only be turned on, not off.

任何愿意为了测试目的而改变他们的应用程序的人都应该检查一下，然后通过应用程序的web.config来操纵它们，注意它只能打开，不能关闭。 此解决方法，基本上改变了Global.asax中的Session_Start方法以剥离HttpOnly标志，以便客户端脚本可以访问。这种解决方法应该只在测试环境中使用，因为它打开了HttpOnly引入关闭的安全漏洞 - 即XSS漏洞。 Jeff Atwood撰写了一篇有关它的好博客文章这里 a>。

Anybody willing to alter their application for testing purposes should check out this workaround, basically altering the Session_Start method in Global.asax to strip out the HttpOnly flag so that is accessible to client script. This kind of workaround should only be used in a test environment however, as it opens the security hole that HttpOnly was introduced to close - namely a XSS vulnerability. Jeff Atwood wrote a good blog post about it here.

这篇关于有没有办法从C＃Selenium测试删除HttpOnly cookie？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！