我使用VeraCode验证我的代码,在验证中,我发现了一个漏洞类型CRLF Injection,因为我使用了一些cookie。我试图用httpOnlyCookies=true文件中的标签web.config或后面的C#代码中的CookieName.HttpOnly = true来解决,但是它没有通过VeraCode中的验证。你有什么主意吗?
这是我的代码,我在超类UserInfo.cs中声明了cookie:
private HttpCookie httpCookie = null;
public UserInfo()
{
if (this.httpCookie == null)
{
this.httpCookie = this.Context.Request.Cookies["ExampleCookie"];
}
if (this.httpCookie == null)
{
this.httpCookie = new HttpCookie("ExampleCookie");
this.httpCookie.HttpOnly = true; //I tried with this too
this.Context.Response.Cookies.Set(this.httpCookie);
}
}
static public UserInfo GetCurrent
{
get
{
return new UserInfo();
}
}
public string UserName
{
set
{
this.httpCookie.Values["UserName"] = value.ToString();
this.Context.Response.SetCookie(this.httpCookie);
}
get
{
return this.httpCookie["UserName"] == null ? string.Empty : this.httpCookie["UserName"].ToString();
}
}
web.config:
<system.web>
<httpCookies httpOnlyCookies="true" />