到底如何在 ASP Classic 中配置 httpOnly Cookie?
我希望在我的旧 ASP 经典站点中实现 httpOnly。 有人知道该怎么做吗?
I'm looking to implement httpOnly in my legacy ASP classic sites.
Anyone knows how to do it?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
如果您在 IIS 7/7.5 上运行经典 ASP 网页,则可以使用 IIS URL 重写模块编写规则以使您的 cookie 为 HTTPOnly。
将以下内容粘贴到您的 web.config 部分:
有关详细信息,请参阅此处:http://forums。 iis.net/t/1168473.aspx/1/10
对于后台,出于 PCI 合规性原因,需要 HTTPOnly cookie。 PCI 标准人员(为了信用卡安全)至少让您的 sessionID cookie 上有 HTTPOnly,以帮助防止 XSS 攻击。
此外,目前(2013 年 2 月 11 日),所有主流浏览器都支持对 cookie 的 HTTPOnly 限制。 这包括当前版本的 IE、Firefox、Chrome 和 Safari。
请参阅此处,了解有关其工作原理以及各种浏览器版本支持的更多信息:
https://www.owasp.org/index.php/HTTPOnly
If you run your Classic ASP web pages on IIS 7/7.5, then you can use the IIS URL Rewrite module to write a rule to make your cookies HTTPOnly.
Paste the following into the section of your web.config:
See here for the details: http://forums.iis.net/t/1168473.aspx/1/10
For background, HTTPOnly cookies are required for PCI compliance reasons. The PCI standards folks (for credit card security) make you have HTTPOnly on your sessionID cookies at the very least in order to help prevent XSS attacks.
Also, at the current time (2-11-2013), all major browser support the HTTPOnly restriction on cookies. This includes current versions of IE, Firefox, Chrome and Safari.
See here for more info on how this works and support by various browser versions:
https://www.owasp.org/index.php/HTTPOnly
其他选项如
expires、path和secure也可以通过这种方式添加。 我不知道有什么神奇的方法可以改变你的整个饼干收藏,但我可能是错的。Other options like
expires,pathandsecurecan be also added in this way. I don't know of any magical way to change your whole cookies collection, but I could be wrong about that.您需要将“;HttpOnly”附加到响应 cookie 集合中。
You need to append ";HttpOnly" to the Response cookies collection.
如果您使用的是 IIS7 或 IIS7.5 并安装 URL 重写加载项,则可以执行此操作。 您可以创建一个重写规则,将“HttpOnly”添加到任何传出的“Set-Cookie”标头中。 将以下内容粘贴到中 web.config 的部分。 然后我使用 Fiddler 来证明输出。
问候,杰里米
If you are using IIS7 or IIS7.5 and install the URL Rewriting add-in then you can do this. You can create a rewriting rule that adds "HttpOnly" to any out going "Set-Cookie" headers. Paste the following into the <system.webServer> section of your web.config. I then used Fiddler to prove the output.
Regards, Jeremy
HttpOnly 对于提高 Web 应用程序的安全性作用甚微。 一方面,它仅适用于 IE(Firefox“支持”它,但在某些情况下仍然向 Javascript 公开 cookie)。 另一方面,它只能防止针对您的应用程序的“路过式”攻击; 它无法阻止跨站点脚本攻击重置密码、更改电子邮件地址或下订单。
你应该使用它吗? 当然。 它不会伤害你。 但在开始使用 HttpOnly 之前,您应该确定您正在做 10 件事。
HttpOnly does very little to improve the security of web applications. For one thing, it only works in IE (Firefox "supports" it, but still discloses cookies to Javascript in some situations). For another thing, it only prevents a "drive-by" attack against your application; it does nothing to keep a cross-site scripting attack from resetting passwords, changing email addresses, or placing orders.
Should you use it? Sure. It's not going to hurt you. But there are 10 things you should be sure you're doing before you start messing with HttpOnly.