[英]Setting session cookie to HttpOnly
I am developing an ASP.NET MVC server with Entity Framework 6.0. 我正在使用Entity Framework 6.0开发ASP.NET MVC服务器。 As far as I'm aware, it's set up to be compatible with EF 4.5 (
<httpRuntime targetFramework="4.5" />
). 据我所知,它设置为与EF 4.5兼容(
<httpRuntime targetFramework="4.5" />
)。
I want to ensure that the session cookie (ie. cookie that stores the session identifier) is HttpOnly, since that's an industry-wide best practice, which helps protect against Cross-Site Request Forgery attacks. 我想确保会话cookie(即存储会话标识符的cookie)是HttpOnly,因为这是一个行业范围的最佳实践,它有助于防止跨站点请求伪造攻击。
The problem is, it's created automatically by the framework, so I can't simply change an object's property right after calling the constructor, as is the case with all the other cookies. 问题是,它是由框架自动创建的,所以我不能简单地在调用构造函数后立即更改对象的属性,就像所有其他cookie一样。
In Web.config
, I've set <httpCookies httpOnlyCookies="true" />
, and yet - when I retrieve the session cookie - it is not HttpOnly (its HttpCookie.HttpOnly property is set false
). 在
Web.config
,我设置了<httpCookies httpOnlyCookies="true" />
,然而 - 当我检索会话cookie时 - 它不是 HttpOnly(它的HttpCookie.HttpOnly属性设置为false
)。 And I don't quite know how to change that. 我不太清楚如何改变它。
I couldn't find anything in Microsoft's documentation about Web.config
's <sessionState>
that would change that. 我在微软关于
Web.config
的<sessionState>
的文档中找不到任何可以改变它的内容。 Here on Stack Overflow I only found a four year old question talking about how session cookie is HttpOnly by default , which is the precise opposite for me, and a five days old question asking why session cookie is not HttpOnly by default - which for some inexplicable reason was closed - without a comment - as a duplicate of the former. 在Stack Overflow上我只发现了一个四年前的问题,谈论默认情况下会话cookie是如何HttpOnly ,这对我来说是完全相反的,还有一个五天的问题,询问为什么会话cookie默认不是 HttpOnly - 这对于一些莫名其妙的问题理由被关闭 - 没有评论 - 作为前者的副本。
I know I can retrieve the session cookie, check it and set HttpOnly=true
on every request (or do that less often with a slightly more refined/hackish filter, or set it manually on login, or...), but I'm not a blood-soaked barbarian there has to be a proper way to do this. 我知道我可以检索会话cookie,检查它并在每个请求上设置
HttpOnly=true
(或者使用稍微更精细/ hackish的过滤器来做更少的事情,或者在登录时手动设置它,或者......),但是我我不是一个血淋淋的野蛮人必须有一个正确的方法来做到这一点。
So, how do I set the session cookie to HttpOnly? 那么,如何将会话cookie设置为HttpOnly?
Session Cookie will always be httponly . 会话Cookie将始终为httponly 。 You cannot modify or override it.
您无法修改或覆盖它。
when I retrieve the session cookie - it is not HttpOnly (its HttpCookie.HttpOnly property is set false).
当我检索会话cookie时 - 它不是HttpOnly(它的HttpCookie.HttpOnly属性设置为false)。
var cookie = Request.Cookies["ASP.Net_SessionId"];
if (cookie != null)
{
var httpOnly = cookie.HttpOnly; // <-- This is always false
}
HttpOnly value is always false at server-side, because client browser does not send back to server whether cookie is in httponly or not. HttpOnly值在服务器端始终为false,因为客户端浏览器不会将cookie发送回服务器,无论cookie是否为httponly。
You can use cookie editor such as Chrome Plugin EditThisCookie . 您可以使用Cookie编辑器,例如Chrome插件EditThisCookie 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.