堆栈内存溢出
  简体   繁体   English

如何使用 C# ASP.Net Core 3.1 在服务器端检查 cookie 选项

[英]How to check cookie options on server side using C# ASP.Net Core 3.1

 原文  2021-04-01 03:37:43       c#/ asp.net-core/ cookies

问题描述

I'm creating a cookie with the following options:我正在使用以下选项创建一个 cookie:

var cookieOptions = new CookieOptions
{
    HttpOnly = true,
    SameSite = SameSiteMode.Strict,
    Secure = true
};
Response.Cookies.Append("myCookie", customerToken, cookieOptions);

I would love to validate when I get the cookie back from the browser that it's still created with httponly, samesite and secure before accepting it.当我从浏览器取回 cookie 时,我很想验证它仍然是使用 httponly、samesite 和安全创建的,然后才接受它。 Or is this just silly, can all of those be faked in the browser?或者这只是愚蠢的,所有这些都可以在浏览器中伪造吗?

2 个解决方案

解决方案1
 0  2021-04-01 05:00:57

As you mentioned to validate, above should be the part of authorization.正如您提到的验证,上面应该是授权的一部分。 You can do it by use policy based Authorization where you can define policy's terms and conditions to be meant before executing any action.您可以通过使用基于策略的授权来做到这一点,您可以在执行任何操作之前定义策略的条款和条件。

How to guide: https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-3.1#apply-policies-to-mvc-controllers如何指导: https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-3.1#apply-policies-to-mvc-controllers

First you read the cookie data from request.首先,您从请求中读取 cookie 数据。 and can use attribute authorization like: [Authorize(Policy = "your policy name ")] at endpoints/controller level并且可以在端点/控制器级别使用属性授权,例如: [Authorize(Policy = "your policy name ")]

after that implement handler like: Auth Handler where you define your above mentioned conditions.之后实现处理程序,例如: Auth Handler ,您可以在其中定义上述条件。 It will fail the authorization if the token/cookie is not as per your conditions in handler.如果令牌/cookie 不符合您在处理程序中的条件,它将无法授权。

解决方案2
 0  2021-04-01 22:28:51

Based on the feedback so far, it looks like that information is not accessible, it is not even sent from the client to the server, only key/value pairs.根据目前的反馈,信息似乎无法访问,甚至没有从客户端发送到服务器,只有键/值对。 That being said, even if it was accessible, it can be manipulated by the browser which invalidates my use case to begin with!话虽如此,即使它是可访问的,它也可以被浏览器操纵,这使我的用例一开始就无效!

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用 C# 在 ASP.NET Core 3.1 MVC 中使用会话变量 - How to use session variables in ASP.NET Core 3.1 MVC using C# 如何在 ASP.NET Core 3.1 MVC 中进行RequiredIf 客户端和服务器端验证? - How to make RequiredIf Client-side and server-side validation in ASP.NET Core 3.1 MVC? 如何在 ASP.NET Core 3.1 MVC 中设置 wkhtmltopdf 选项? - How to set wkhtmltopdf options in ASP.NET Core 3.1 MVC? 如何使用服务器端 ASP.NET Core 3.1 MVC 访问浏览器的本地存储 - How to access local storage of a browser with server side ASP.NET Core 3.1 MVC 如何在不使用ASP.NET服务器端控件的情况下从C#ASP.NET中读取HTML文件类型的输入流 - How to read inputstream from HTML file type in C# ASP.NET without using ASP.NET server side control 在 cookie 中存储 JWT 令牌后如何打破该 cookie 并在 ASP.NET Core 3.1 中获取信息 - After store JWT token in cookie how to break that cookie and get information in ASP.NET Core 3.1 如何使用 ASP.NET Core 3.1 MVC 中的 ViewModel 与 JavaScript 和 C# 动态添加到列表 - How to dynamically add to list with ViewModel in ASP.NET Core 3.1 MVC with JavaScript and C# 如何对 ASP.NET Core 3.1 C# 中的自动“规范链接”重定向器进行重复数据删除? - How to deduplicate an automatic “Canonical Link” redirector in ASP.NET Core 3.1 C#? 如何使用带有C#/ ASP.NET的Crystal Reports生成pdf服务器端? - How to generate pdf server side using Crystal Reports with C# / ASP.NET? 如何在 asp.net 核心 3.1 中将文本用作 c# 代码? - How to use text as a c# code in asp.net core 3.1?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM