使用 Request.ApplicationPath 作为 cookie 路径是否安全
使用这样的代码安全吗?
Response.Cookies[cookieName].Path = Request.ApplicationPath + "/";
我想了解所有极端情况,请...
Is it safe to use such code?
Response.Cookies[cookieName].Path = Request.ApplicationPath + "/";
I want to know about all corner cases, please...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
简而言之,不,这不安全。使用 cookie 路径充满了问题,因为它们在 IE 和 Chrome 中区分大小写,但在 FF 中不区分大小写。这意味着路径大小写的任何不匹配都会导致问题。
生成 Cookie 时,如果您设置的路径与用户输入的路径不同,浏览器将不会存储该路径。
生成 Cookie 时,如果您设置的路径与用户输入的路径不同,浏览器将不会存储该路径
当用户返回时,如果他们输入的路径与第一次访问不同,浏览器将不会在请求中提供 cookie。
当用户返回时,如果他们输入的路径与第一次访问不同,浏览器将不会提供 cookie
你想解决什么问题?
In short, no, it's not safe. Using cookie paths is fraught with problems as they are case sensitive in IE and Chrome, but not FF. This means any mismatch in path case will stuff things up.
When generating a cookie, if the path you set differs in case from what the user typed, browsers won't store it.
When the user returns, if the path they enter differs in case from the first trip, the browser won't supply the cookie with the request.
What problem are you trying to solve?
如果您的应用程序在域的根目录中运行,则
Request.ApplicationPath == "/"
。因此,对于您的代码,cookie 的路径将是//
。您可以通过这样做来回避这个问题:如 Will 正确指出,您需要确保您的应用程序强制执行一致的 URL 大小写(即将 URL 中包含大写字母的所有请求重定向为相应的小写字母)。
除此之外,我相信你这样做应该没问题。如果您希望所有 cookie 都处于“应用程序范围”,请考虑使用如下代码创建自定义
IHttpModule
(或扩展global.asax.cs
):If your application runs in the root of a domain,
Request.ApplicationPath == "/"
. Hence, with your code, the path of your cookie will be//
. You can dodge around this problem by doing this:As Will correctly points out, you will want to make sure that your application enforces a consistent casing of URLs (i.e. redirect all requests with URLs containing uppercase letters to their lowercase equivalent).
Other than that, I believe you should be fine doing this. If you want all of your cookies to be "application scoped", consider creating a custom
IHttpModule
with code like this (or extendglobal.asax.cs
):不,这不安全,原因如威尔所指出的。
但是...您可能想采用此技术来实现你的意图。
No, it's not safe, for the reasons that Will specified.
But... You may want to employ this technique to fulfill your intent.