使ASP.NET_SessionId cookie不是httpOnly
[英]Make ASP.NET_SessionId cookie not httpOnly
问题描述
The cookie used for session in ASP.NET MVC is httpOnly (property set to true). 
用于ASP.NET MVC中的会话的cookie是httpOnly (属性设置为true)。
Is there a way to make it not httpOnly? 有没有办法让它不是httpOnly?
I want to be able to access this cookie from javascript. 我希望能够从javascript访问此cookie。
Even if it is less secure than the "What if all the universe stands against me?!" 即使它不如“如果所有的宇宙都反对我怎么样?!” default setting. 默认设置。
2 个解决方案
解决方案1
3 已采纳 2014-12-15 08:58:36
If you REALLY need it you could try to add this to your Global.asax: 如果你真的需要它,你可以尝试将它添加到你的Global.asax:
void Application_EndRequest(Object sender, EventArgs e)
{
if (Response.Cookies.Count > 0)
{
foreach (string s in Response.Cookies.AllKeys)
{
if (s == "ASP.NET_SessionId")
{
Response.Cookies["ASP.NET_SessionId"].HttpOnly = false;
}
}
}
}
解决方案2
0 2015-10-30 11:14:34
I built a system that uses cookies to store search params across the site. 我建立了一个使用cookie来存储整个站点搜索参数的系统。 On the home page there are links and I wanted to use jQuery to save a cookie with the item id in it. 在主页上有链接,我想使用jQuery来保存带有项ID的cookie。
But on click the user is then sent to an advanced search page where they can use .net controls to modify the search. 但是点击后,用户就会被发送到高级搜索页面,在那里他们可以使用.net控件来修改搜索。 The cookies are saved again but they needed to be writable by the js on the home page when the user browsed back. Cookie会再次保存,但是当用户浏览时,它们需要由主页上的js写入。
So I set HttpOnly like this: 所以我像这样设置HttpOnly:
var cookie = new HttpCookie(name)
{
Value = val,
HttpOnly = false // #DEV search cookies can be modified by JS
};
HttpContext.Current.Response.Cookies.Add(cookie);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.