在使用自定义404页面时,我遇到了让IIS7将所有会话cookie设为HTTPONLY的问题。
这是我的webconfig:
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
<httpErrors>
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" prefixLanguageFilePath="" path="/404.asp" responseMode="ExecuteURL" />
</httpErrors>
这使得我的所有cookie都是HTTPONLY,除非有404响应。 404页面返回没有HTTPONLY的会话cookie。
有什么建议吗?