如何将页面中的所有cookie变量设置为ASP中的HTTPOnly?
答案 0 :(得分:11)
我害怕使用Response.Cookies集合在设置HttpOnly时不起作用(它让我慢慢疯了!)。 由于vbscript(至少在我正在测试的服务器上)将对分号进行字符编码。
相反,请自行手动添加标题,例如:
Response.AddHeader "Set-Cookie", "YourCookieName=YourCookieValue; path=/; HttpOnly"
stackoverflow上有一个类似的帖子叫做How exactly do you configure httpOnly Cookies in ASP Classic?
答案 1 :(得分:1)
我编译了Microsoft的ISAPI过滤器示例(http://msdn.microsoft.com/en-us/library/ms972826)。这解决了我的问题。
ISAPI DLL在这里https://www.dropbox.com/s/e5mq749acms0rhx/HTTPOnly.dll?dl=0
随意下载。
答案 2 :(得分:-1)
Response.AddHeader "Set-Cookie", ""&CStr(Request.ServerVariables("HTTP_COOKIE"))&";path=/;HttpOnly"&""
答案 3 :(得分:-1)
古老的问题,但我必须自己想出遗留应用程序。
经典ASP的Response.Cookies集合只是没有添加HttpOnly标记的技巧。你需要使用
Response.AddHeader("Set-Cookie", useful_value)
让这个工作。如果您尝试在此{<1}}集合中设置项目的路径属性
Response.Cookies它有助于URLEncodes分号,从而破坏路径。
所以,我为这个目的敲了几个经典的asp函数,在这里提供了与每个与经典asp一起生活的人的团结。
Response.Cookies["stupid"].Path = "/; HttpOnly"
要使用此功能,请将其命名为
' given a Date item, return the text string suitable for a cookie's expires= field.
' For example: Tue, 02-Aug-2016 18:57:00 GMT
function RFC6265Date (inputDate)
' (we are on EST, Z-5, so offset the time. Classic ASP, no timezone support)
dim date: date = DateAdd("h",5,inputDate)
dim v : v = WeekdayName(Weekday(date),true) & ", "
v = v & Right("00" & Day(date), 2) & "-"
v = v & MonthName(Month(date),true) & "-" & Year(date) & " "
v = v & FormatDateTime(date,4) & ":00 GMT"
RFC6265Date = v
end function
' make cookie header value including various security items
function RFC6265CookieValue(name, val, inputDate, domain)
'name=tok=val&tok=val&tok=val; domain=.glance.net; expires=Tue, 02-Aug-2016 18:57:00 GMT; path=/; HttpOnly; secure
dim cv : cv = name & "="
cv = cv & val & "; "
if inputDate <> "" then
cv = cv & "expires=" & RFC6265Date(inputDate) & "; "
end if
if domain <> "" then
cv = cv & "domain=" & domain & "; "
end if
cv = cv & "path=/; HttpOnly; Secure"
RFC6265CookieValue = cv
end function
(经典的ASP就像迪斯科舞厅。一代以后,仍糟透了。)