即使禁用,安全扫描也会在 ASP.NET 应用程序中找到 httpOnly cookie
我尝试使用 web.config 标记在 WSS 3.0 表单身份验证应用程序中启用 httpOnly cookie。 Cenzic Hailstorm 安全扫描报告声称,cookie 是在标记关闭的情况下生成的,包括 .ASPXAUTH cookie、一个与 Discovery.asmx 相关的 cookie,以及一个与 WSS_AccessibiltyFeature 相关的 cookie。我的问题是:
- 扫描是否有可能出错?
- 关于 cookie 的创建方式,有什么我不明白的地方吗?这些是否不受 httpOnly 标志的约束?
- 有没有办法验证自己 cookie 是否以 httpOnly 形式出现?我知道 Fiddler 的 Watcher 插件,但我一直无法让它工作(我正在与开发人员沟通)。当然还有其他东西可以检查cookie。
I have tried to enable httpOnly cookies in my WSS 3.0 forms-authentication application using the web.config tag. A Cenzic Hailstorm security scan report claims that cookies are being produced with the flag off, including the .ASPXAUTH cookie, one related to Discovery.asmx, and one related to WSS_AccessibiltyFeature. Here are my questions:
- Is there some way the scan could be mistaken?
- Is there something I do not understand about how the cookies are created? Are these exempt from the httpOnly flag?
- Is there a way to verify myself that the cookies are coming out as httpOnly? I am aware of the Watcher add-on for Fiddler but I have had not been able to get that to work (I am communicating with the developer). Surely there is something else that can examine the cookie.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
实际上,您可以使用 Fiddler 查看 HTTP 请求的原始来源。这应该告诉您有关 httpOnly cookie 的信息。
在这里查看更多相关信息:
http://www.codinghorror.com/blog/archives/001167.html
Actually, you can use Fiddler to look at the Raw source of your HTTP request. That should tell you about the httpOnly cookies.
See more about this here:
http://www.codinghorror.com/blog/archives/001167.html