有没有办法从 C# Selenium 测试中删除 HttpOnly cookie?

发布于 2024-09-03 02:08:53 字数 311 浏览 7 评论 0原文

我有一组 C# Selenium 测试,需要删除设置了 HttpOnly 标志的 cookie。

不幸的是,DefaultSelenium.GetCookie()DefaultSelenium.DeleteCookie() 命令无法访问 cookie,因为它设置了 HttpOnly 标志。我通过手动删除该标志并检查对这些方法中的任何一个的后续调用是否能够愉快地操作有问题的 cookie 来确认这一点。

有没有其他方法可以通过 Selenium .NET 客户端驱动程序来做到这一点?

欢迎所有想法!

I have a set of C# Selenium tests that need to delete a cookie that has the HttpOnly flag set.

Unfortunately the DefaultSelenium.GetCookie() and DefaultSelenium.DeleteCookie() commands aren't able to access the cookie, because it has that HttpOnly flag set. I've confirmed this by removing the flag by hand, and checking that subsequent calls to either of those methods are then happily able to manipulate the cookie in question.

Is there any other way to do this via the Selenium .NET client driver?

All ideas welcome!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

烈酒灼喉 2024-09-10 02:08:53

由于我无法通过客户端驱动程序执行此操作,因此我必须找到替代方法。幸运的是,正在测试的 Web 应用程序有一系列测试页面,允许与会话 cookie(我试图访问的 HttpOnly cookie)进行交互,因此我能够通过自动化这些页面来实现我的目标。

对于遇到此问题的其他人,有一个很好的 所以在这里回答关于如何将 HttpOnly 融入到 ASP.NET 中。

此外,这个答案点了解如何通过应用程序的 web.config 操作 HttpOnly,但需要注意的是它只能打开,而不能关闭。

任何愿意出于测试目的更改其应用程序的人都应该查看 此解决方法,基本上是更改 Global.asax 中的 Session_Start 方法以删除 HttpOnly 标志,以便客户端脚本可以访问它。然而,这种解决方法只能在测试环境中使用,因为它会打开引入 HttpOnly 来关闭的安全漏洞,即 XSS 漏洞。 Jeff Atwood 在 此处。

Since I was unable to do this via the client driver, I had to find an alternative method. Fortunately, the web app under test has a selection of test pages that allow interaction with the session cookie (being the HttpOnly cookie I was trying to access) and so I was able to achieve my goal by automating those pages instead.

For anybody else that encounters this issue, there's a good SO answer here about how HttpOnly is burned into ASP.NET.

Additionally, this SO answer points out how HttpOnly can be manipulated via the app's web.config, with the caveat that it can only be turned on, not off.

Anybody willing to alter their application for testing purposes should check out this workaround, basically altering the Session_Start method in Global.asax to strip out the HttpOnly flag so that is accessible to client script. This kind of workaround should only be used in a test environment however, as it opens the security hole that HttpOnly was introduced to close - namely a XSS vulnerability. Jeff Atwood wrote a good blog post about it here.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文