如何在 ASP.NET 会话 Cookie 上设置安全标志?

发布于 2024-08-05 06:49:33 字数 69 浏览 8 评论 0原文

如何在 ASP.NET 会话 Cookie 上设置安全标志,以便它仅通过 HTTPS 传输,而绝不会通过纯 HTTP 传输?

How can I set the Secure flag on an ASP.NET Session Cookie, so that it will only be transmitted over HTTPS and never over plain HTTP?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

漫漫岁月 2024-08-12 06:49:33

元素中,添加以下元素:

<httpCookies requireSSL="true" />

但是,如果您的 system.web\authentication 中有 元素 块,那么这将覆盖 httpCookies 中的设置,将其设置回默认的 false

在这种情况下,您还需要将 requireSSL="true" 属性添加到 forms 元素。

因此,您最终会得到:

<system.web>
    <authentication mode="Forms">
        <forms requireSSL="true">
            <!-- forms content -->
        </forms>
    </authentication>
</system.web>

请参阅此处< /a> 和 这里获取这些元素的 MSDN 文档。

In the <system.web> element, add the following element:

<httpCookies requireSSL="true" />

However, if you have a <forms> element in your system.web\authentication block, then this will override the setting in httpCookies, setting it back to the default false.

In that case, you need to add the requireSSL="true" attribute to the forms element as well.

So you will end up with:

<system.web>
    <authentication mode="Forms">
        <forms requireSSL="true">
            <!-- forms content -->
        </forms>
    </authentication>
</system.web>

See here and here for MSDN documentation of these elements.

心不设防 2024-08-12 06:49:33

有两种方法,web.config 中的一个 httpCookies 元素允许您打开 requireSSL,它仅传输所有 cookie,包括仅使用 SSL 的会话,以及也在表单身份验证中,但如果您在 httpcookies 上打开 SSL,您也必须在表单配置中打开它。

为清楚起见进行编辑:
将其放入

<httpCookies requireSSL="true" />

There are two ways, one httpCookies element in web.config allows you to turn on requireSSL which only transmit all cookies including session in SSL only and also inside forms authentication, but if you turn on SSL on httpcookies you must also turn it on inside forms configuration too.

Edit for clarity:
Put this in <system.web>

<httpCookies requireSSL="true" />
淡紫姑娘! 2024-08-12 06:49:33

如果您谈论的是企业环境中签入的代码,事情很快就会变得混乱。我们发现最好的方法是让 web.Release.config 包含以下内容:

<system.web>
  <compilation xdt:Transform="RemoveAttributes(debug)" />
  <authentication>
      <forms xdt:Transform="Replace" timeout="20" requireSSL="true" />
  </authentication>
</system.web>

这样,开发人员就不会受到影响(在调试模式下运行),并且只有获得发布版本的服务器才需要cookie 为 SSL。

Things get messy quickly if you are talking about checked-in code in an enterprise environment. We've found that the best approach is to have the web.Release.config contain the following:

<system.web>
  <compilation xdt:Transform="RemoveAttributes(debug)" />
  <authentication>
      <forms xdt:Transform="Replace" timeout="20" requireSSL="true" />
  </authentication>
</system.web>

That way, developers are not affected (running in Debug), and only servers that get Release builds are requiring cookies to be SSL.

凉薄对峙 2024-08-12 06:49:33

基于@Mark D 的回答,我将使用 web.config 转换将所有各种 cookie 设置为安全。这包括设置 anonymousIdentification cookieRequireSSLhttpCookies requireSSL

为此,您将 web.Release.config 设置为:

<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
  <system.web>
    <httpCookies xdt:Transform="SetAttributes(httpOnlyCookies)" httpOnlyCookies="true" />
    <httpCookies xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
    <anonymousIdentification xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" /> 
  </system.web>
</configuration>

如果您将角色和表单身份验证与 ASP.NET Membership Provider (我知道,它很古老)一起使用,您还需要将 roleManager cookieRequireSSLforms requireSSL 属性也设置为安全。如果是这样,您的 web.release.config 可能如下所示(包含在上面以及会员 API 的新标签):

<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
  <system.web>
    <httpCookies xdt:Transform="SetAttributes(httpOnlyCookies)" httpOnlyCookies="true" />
    <httpCookies xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
    <anonymousIdentification xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" /> 
    <roleManager xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
    <authentication>
        <forms xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
    </authentication>
  </system.web>
</configuration>

web.config 的背景在此处转换: http://go.microsoft.com/fwlink/?LinkId=125889

显然这超出了OP的原始问题,但如果你不将它们全部设置为安全 您可以预期安全扫描工具会注意到,并且您会在报告中看到危险信号。问我怎么知道的。 :)

Building upon @Mark D's answer I would use web.config transforms to set all the various cookies to Secure. This includes setting anonymousIdentification cookieRequireSSL and httpCookies requireSSL.

To that end you'd setup your web.Release.config as:

<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
  <system.web>
    <httpCookies xdt:Transform="SetAttributes(httpOnlyCookies)" httpOnlyCookies="true" />
    <httpCookies xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
    <anonymousIdentification xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" /> 
  </system.web>
</configuration>

If you're using Roles and Forms Authentication with the ASP.NET Membership Provider (I know, it's ancient) you'll also want to set the roleManager cookieRequireSSL and the forms requireSSL attributes as secure too. If so, your web.release.config might look like this (included above plus new tags for membership API):

<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
  <system.web>
    <httpCookies xdt:Transform="SetAttributes(httpOnlyCookies)" httpOnlyCookies="true" />
    <httpCookies xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
    <anonymousIdentification xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" /> 
    <roleManager xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
    <authentication>
        <forms xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
    </authentication>
  </system.web>
</configuration>

Background on web.config transforms here: http://go.microsoft.com/fwlink/?LinkId=125889

Obviously this goes beyond the original question of the OP but if you don't set them all to secure you can expect that a security scanning tool will notice and you'll see red flags appear on the report. Ask me how I know. :)

情魔剑神 2024-08-12 06:49:33

secure - 此属性告诉浏览器仅在通过安全通道(例如 HTTPS)发送请求时才发送 cookie。这将有助于防止 cookie 通过未加密的请求传递。如果应用程序可以通过 HTTP 和 HTTPS 访问,那么 cookie 就有可能以明文形式发送。

secure - This attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文