[英]How to check cookie options on server side using C# ASP.Net Core 3.1
I'm creating a cookie with the following options:我正在使用以下选项创建一个 cookie:
var cookieOptions = new CookieOptions
{
HttpOnly = true,
SameSite = SameSiteMode.Strict,
Secure = true
};
Response.Cookies.Append("myCookie", customerToken, cookieOptions);
I would love to validate when I get the cookie back from the browser that it's still created with httponly, samesite and secure before accepting it.当我从浏览器取回 cookie 时,我很想验证它仍然是使用 httponly、samesite 和安全创建的,然后才接受它。 Or is this just silly, can all of those be faked in the browser?
或者这只是愚蠢的,所有这些都可以在浏览器中伪造吗?
As you mentioned to validate, above should be the part of authorization.正如您提到的验证,上面应该是授权的一部分。 You can do it by use policy based Authorization where you can define policy's terms and conditions to be meant before executing any action.
您可以通过使用基于策略的授权来做到这一点,您可以在执行任何操作之前定义策略的条款和条件。
How to guide: https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-3.1#apply-policies-to-mvc-controllers如何指导: https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-3.1#apply-policies-to-mvc-controllers
First you read the cookie data from request.首先,您从请求中读取 cookie 数据。 and can use attribute authorization like:
[Authorize(Policy = "your policy name ")]
at endpoints/controller level并且可以在端点/控制器级别使用属性授权,例如:
[Authorize(Policy = "your policy name ")]
after that implement handler like: Auth Handler where you define your above mentioned conditions.之后实现处理程序,例如: Auth Handler ,您可以在其中定义上述条件。 It will fail the authorization if the token/cookie is not as per your conditions in handler.
如果令牌/cookie 不符合您在处理程序中的条件,它将无法授权。
Based on the feedback so far, it looks like that information is not accessible, it is not even sent from the client to the server, only key/value pairs.根据目前的反馈,信息似乎无法访问,甚至没有从客户端发送到服务器,只有键/值对。 That being said, even if it was accessible, it can be manipulated by the browser which invalidates my use case to begin with!
话虽如此,即使它是可访问的,它也可以被浏览器操纵,这使我的用例一开始就无效!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.