与 /_vti_bin/Discovery.asmx 相关的 cookie 是什么?为什么我无法设置其安全属性?
我有一个使用表单身份验证的 WSS 3.0 站点。除了我的身份验证 cookie 之外,我还得到一个包含如下数据的 cookie:
2FDiscovery=WorkspaceSiteName=aHR0cDovL3d3dy5rZWxldi5iaXo=&WorkspaceSiteUrl= aHR0cHM6Ly9zdGFnaW5nLWluc2lnaHQubmNqcnMuZ292&WorkspaceSiteTime=MjAwOS 0xMi0xMFQxNDo1ODoxMQ==; path=/_vti_bin/Discovery.asmx;
该 cookie 没有设置 Secure 属性,即使我的 web.config 中有 requireSSL="true" 并且其他 cookie 具有该属性。
我不知道这个 cookie 是源自 WSS 还是一般的表单身份验证。
有谁知道 cookie 的作用(或者 /_vti_bin/Discovery.asmx 的作用)以及为什么该属性似乎没有从 web.config 中获取?
I have a WSS 3.0 site that uses forms authentication. In addition to my authentication cookie I get a cookie that contains data like this:
2FDiscovery=WorkspaceSiteName=aHR0cDovL3d3dy5rZWxldi5iaXo=&WorkspaceSiteUrl= aHR0cHM6Ly9zdGFnaW5nLWluc2lnaHQubmNqcnMuZ292&WorkspaceSiteTime=MjAwOS 0xMi0xMFQxNDo1ODoxMQ==; path=/_vti_bin/Discovery.asmx;
This cookie does not have the Secure attribute set, even though I have requireSSL="true" in my web.config and the other cookies have the attribute.
I do not know if this cookie originates in WSS or in forms authentication in general.
Does anyone know what the cookie does (or what /_vti_bin/Discovery.asmx does, for that matter) and why the attribute doesn't seem to get picked up from the web.config?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
Cookie 的内容(
WorkspaceSiteName、WorkspaceSiteUrl、WorkspaceSiteTime)表明 MS Office 使用它来记住最近使用的 SharePoint Workspaces,以便它可以例如,当您想在 MS Word 中保存文档时向您显示。不过我还没有验证过这一点。根据我的经验,cookie 的持续时间为 30 天,这意味着 MS Office 会记住您过去 30 天访问过的工作区。关于您在
web.config中的requireSSL=true条目未被选取,您将该条目放在了哪个web.config中?网站根目录(位于c:\inetpub\wwwroot\wss\virtualdirectories\文件夹中)的web.config是错误的web.config!_vti_bin在 IIS 中配置为虚拟目录,并映射到物理路径C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\isapi。该位置有一个单独的web.config。The content of the cookie (
WorkspaceSiteName,WorkspaceSiteUrl,WorkspaceSiteTime) suggests it is used by MS Office to remember the recently used SharePoint Workspaces so it can show it to you when you like to save a document in MS Word for example. I haven't verified this though. In my experience, the cookie has a persistence period of 30 days, which would mean that MS Office remembers the workspaces you have visited the last 30 days.Regarding your
requireSSL=trueentry inweb.confignot being picked up, in whichweb.configdid you put the entry? Theweb.configat the root of your web site (in thec:\inetpub\wwwroot\wss\virtualdirectories\<sitename>folder) is the wrongweb.config!_vti_binis configured as a virtual directory in IIS and maps to the physical pathC:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\isapi. There is a seperateweb.configin that location.当谷歌搜索 Discovery.asmx 时,我得到的唯一线索是该服务由 WIndows Live ID 使用。显然,即使 Live ID 不是该网站上使用的实际身份验证提供商,它仍然处于活动状态。
您可以尝试直接使用 IIS 阻止对此服务的访问吗?只需打开 IIS 管理器并找到该服务即可。然后阻止所有外部访问它。不确定这方面有什么可能性(禁用所有身份验证,或添加重定向到 404 页面规则...)
PS 首先确保它不会造成实际的安全漏洞/威胁。
When googling for Discovery.asmx the only clue i get is that this service is used by WIndows Live ID. Apparently it is active even when Live ID is not the actual authentication provider used on that website.
You could try blocking access to this service using IIS directly? Just open the IIS manager and find the service. Then block all outside access to it. Not to sure what possibilities there are regarding this though (disable all authentication, or add a redirect to 404 page rule to it...)
P.S. Make sure it doesn't pose an actual security hole / threat first though.