根据上下文使用不安全 cookie 和安全 cookie
我们目前正在尝试转换一些遗留应用程序。在开发过程中,我们在安全 cookie 方面遇到了很多问题。虽然这肯定在我们的待办事项清单上,但它却停止了其他功能的工作。我们希望能够在我们的开发环境中设置 cookie,以便如果我们通过 HTTP 访问该网站,它会使用不安全的 cookie,但如果他们通过 HTTPS 访问该网站,它会使用安全 cookie。我们正在尝试使用 IIS Url Rewrite 来完成此任务。我模拟了这一点:
<rewrite>
<outboundRules>
<rule name="Enable secure Cookies {ProjectName}" preCondition="Missing Secure Cookies {ProjectName}">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; secure" />
<conditions>
<add input="{HTTPS}" pattern="^Off$" negate="true"/>
</conditions>
</rule>
<rule name="Enable http only {ProjectName}" preCondition="Missing Http Only {ProjectName}">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
<add input="{HTTPS}" pattern="^Off$" negate="true"/>
</conditions>
</rule>
<preConditions>
<preCondition name="Missing Secure Cookies {ProjectName}">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; secure" negate="true" />
</preCondition>
<preCondition name="Missing Http Only {ProjectName}">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
我将其添加到
或者,如果 HTTPS 关闭,是否可以删除安全性和 httponly?
We are currently trying to convert some legacy applications. While in development, we are having a lot of issues with secure cookies. While that is definitely on our to-do list, it is halting work on other functionality. We would like to be able to set cookies in our dev environment so that if we reach the site via HTTP, it uses unsecure cookies, but if they reach the site via HTTPS, it uses secure cookies. We are trying to use IIS Url Rewrite to accomplish this. I mocked this up:
<rewrite>
<outboundRules>
<rule name="Enable secure Cookies {ProjectName}" preCondition="Missing Secure Cookies {ProjectName}">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; secure" />
<conditions>
<add input="{HTTPS}" pattern="^Offquot; negate="true"/>
</conditions>
</rule>
<rule name="Enable http only {ProjectName}" preCondition="Missing Http Only {ProjectName}">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
<add input="{HTTPS}" pattern="^Offquot; negate="true"/>
</conditions>
</rule>
<preConditions>
<preCondition name="Missing Secure Cookies {ProjectName}">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; secure" negate="true" />
</preCondition>
<preCondition name="Missing Http Only {ProjectName}">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
I added that to the <system.webServer> tag of every web.config file for every project (I actually replace {ProjectName} with the project's name so that different projects have uniquely named rules and preconditions). Unfortunately, I am still getting secure cookies when hitting the site from HTTP. How do I negate the rule when coming from HTTP?
Alternately, is it possible to remove security and httponly if HTTPS is off?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我的重写语法是正确的。问题是我错过了一个客户端 cookie,该 cookie 是从不安全的上下文中安全创建的,并且导致了失败。我将保留这个问题,以防其他人对同一站点中的安全和不安全 cookie 有类似的需求。对于产品来说非常糟糕的做法,但是对于开发来说非常好!
My rewrite syntax was correct. The issue was that I missed a client-side cookie that was being created as secure from an unsecure context and that was causing the failures. I will leave this question available in case someone else has a similar need for both secure and unsecure cookies in the same site. Very bad practice for prod, but excellent for development!