Internet Explorer 11不通过HTTP发送*非安全* cookie(通过HTTPS设置)

时间:2016-08-18 09:47:30

标签: internet-explorer cookies internet-explorer-11

使用IE11调试Web应用程序时遇到问题。使用Fiddler,我在跟随应用程序的相同路线时建立了IE和Chrome之间的行为差​​异

我遵循的程序是:

以下是行为差异的来源 - Chrome将在请求中设置Cookie:标头并发送已设置的Cookie。 IE根本不会设置Cookie标头,应用程序拒绝提供页面

auth站点的行为一致,标题如下:

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: /loggedin/
Server: Microsoft-IIS/8.5
Set-Cookie: .ASPXFORMSAUTH=; domain=.myco.com; expires=Wed, 17-Aug-2016 08:43:54 GMT; path=/; secure; HttpOnly
Set-Cookie: .ASPXFORMSAUTH=BLAHBLAHBLAH; domain=.myco.com; path=/; HttpOnly
X-Frame-Options: SAMEORIGIN
Date: Thu, 18 Aug 2016 08:43:54 GMT
Content-Length: 128
Access-Control-Allow-Origin: *

这是IE向“您已登录”页面发出请求,authsite在成功登录后重定向到(cookie存在):

GET https://auth.myco.com/loggedin/ HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: https://auth.myco.com/
Accept-Language: en-GB,en;q=0.7,ja;q=0.3
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: auth.myco.com
Connection: Keep-Alive
Cache-Control: no-cache
DNT: 1
Cookie: ASP.NET_SessionId=sao3x3skzhcgquylfcaokvt0; .ASPXFORMSAUTH=BLAHBLAHBLAH

然后我们将地址栏更改为http://local.myco.com:54321(解析为127.0.0.1)和bam! cookie已经消失..但它没有设置“安全”标志!

GET http://local.myco.com:12345/ HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.7,ja;q=0.3
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: local.myco.com:12345
Connection: Keep-Alive

如上所述,我系统上的所有其他浏览器都可以正常使用;它只是IE中的auth cookie。

关于下一步行动的任何线索

0 个答案:

没有答案