不幸的是,我们的应用程序仍然必须在HTTP上与HTTPS一起运行。我正在尝试通过HTTPS保护请求的.net会话cookie,但它似乎忽略了安全标志。
if (response.Cookies.Count > 0) {
foreach (string cookieName in response.Cookies.AllKeys) {
if (cookieName == FormsAuthentication.FormsCookieName
|| cookieName.ToLower().Contains("login")
|| cookieName.ToLower().Contains("session")) {
if (HttpContext.Current.Request.Url.Scheme.ToLower() == "https") {
log.Info("Setting cookie " + cookieName + " to secure on url " + HttpContext.Current.Request.RawUrl);
response.Cookies[cookieName].Secure = true;
} else {
log.Info("Not Setting cookie " + cookieName + " to secure as scheme is " + HttpContext.Current.Request.Url.Scheme + "on url " + HttpContext.Current.Request.RawUrl);
}
response.Cookies[cookieName].HttpOnly = true;
}
}
}
代码设置标志正常,但是当通过HTTPS请求时,不设置安全标志。
Response sent 64 bytes of Cookie data:
Set-Cookie: ASP.NET_SessionId=5bvrhhf223xp4ahgfruurv4v; path=/; HttpOnly
是否有其他方法可以为 会话Cookie设置此内容?