我正在使用服务堆栈处理自托管的Windows HTTP服务,我有一个请求实现基本身份验证(用户名/密码)来验证调用应用程序。这是我现在使用的代码,它工作正常:
Plugins.Add(new AuthFeature(() => new AuthUserSession() {},
new IAuthProvider[] { new BasicAuthProvider() })); //CustomBasicAuthProvider()
container.Register<ICacheClient>(new MemoryCacheClient());
var userRepository = new InMemoryAuthRepository();
container.Register<IUserAuthRepository>(userRepository);
string hash;
string salt;
new SaltedHash().GetHashAndSaltString("passwordinhere", out hash, out salt);
userRepository.CreateUserAuth(new UserAuth()
{
Id = 1,
DisplayName = "userdisplayname",
UserName = "usernameinhere",
PasswordHash = hash,
Salt = salt
}
, "app");
当我检查来自我服务的响应标题时,我清楚地看到它包含2个cookie:
Set-Cookie:ss-id = dT8Yy6ejhgfjhgfkVvcxcxCNtngYRS4; path = /
Set-Cookie:ss-pid = p4lsgo18JhYF4CTcxkhgkhgffRZob; path = /; expires = Fri,20 Jan Jan 20:17:03 GMT
我需要配置ServiceStack来添加; httpOnly标记这些cookie是出于安全目的,但我找不到如何做。
所以大家好,有人知道该怎么做?任何想法都非常受欢迎。
提前感谢您的帮助:)
答案 0 :(得分:0)
You can control whether HttpOnly flag are set on Cookies with Config.AllowNonHttpOnlyCookies which by default is false so would always set the HttpOnly flag. Unfortunately this setting was ignored with self-hosts which is now resolved with this commit which will now populate HttpOnly flag for all Cookies by default.
This change is available from v4.5.5+ that's now available on MyGet.