ARRAffinity Cookie 如何设置 SameSite 属性

发布于 2025-01-13 03:17:39 字数 1314 浏览 5 评论 0原文

我的其中一个网站出现了安全漏洞。漏洞是不安全的 Cookie 配置 - SameSite 标志。在尝试和分析解决方案后，我发现只有 ARRAffinity 未设置 Samesite 属性。我找到了以下解决方案，用于在 web.config 文件中设置 ARRAffinity cookie 的 SameSite 属性，

    <system.webServer>
  <rewrite>
    <outboundRules>
      <rule name="Add SameSite Cookie Flag to ArrAffinity cookie" enabled="true">
        <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
        <conditions>
          <add input="{R:0}" pattern="ARRAffinity=(.*)" ignoreCase="true" negate="true" />
          <add input="{HTTP_USER_AGENT}" pattern="Macintosh; Intel Mac OS X 
          10_14.+Version/.*Safari" ignoreCase="true" negate="true" />
          <add input="{HTTP_USER_AGENT}" pattern="CPU iPhone OS 12" ignoreCase="true" 
          negate="true" />
          <add input="{HTTP_USER_AGENT}" pattern="iPad; CPU OS 12" ignoreCase="true" 
          negate="true" />
        </conditions>
        <action type="Rewrite" value="{HTTP_COOKIE};Path=/;HttpOnly;SameSite=None;secure" />
      </rule>
    </outboundRules>
  </rewrite>
</system.webServer>

但在该网站显示两个 ARRAffinity Cookie 后，其中一个带有 SameSite=None other，而 SameSite 仍为空。因此，用户也遇到登录问题。我该如何解决这个问题？如果没有，那么还有其他方法可以为 ARRAffinity 设置 SameSite 属性吗？

原文

I had security vulnerability popped up for one of the websites.
vulnerability is Insecure Cookie Configuration - SameSite Flag.
After trying and analysing solutions i saw that only ARRAffinity is having Samesite attribute not set.
I found the following solution for setting ARRAffinity cookie's SameSite attribute in web.config file

    <system.webServer>
  <rewrite>
    <outboundRules>
      <rule name="Add SameSite Cookie Flag to ArrAffinity cookie" enabled="true">
        <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
        <conditions>
          <add input="{R:0}" pattern="ARRAffinity=(.*)" ignoreCase="true" negate="true" />
          <add input="{HTTP_USER_AGENT}" pattern="Macintosh; Intel Mac OS X 
          10_14.+Version/.*Safari" ignoreCase="true" negate="true" />
          <add input="{HTTP_USER_AGENT}" pattern="CPU iPhone OS 12" ignoreCase="true" 
          negate="true" />
          <add input="{HTTP_USER_AGENT}" pattern="iPad; CPU OS 12" ignoreCase="true" 
          negate="true" />
        </conditions>
        <action type="Rewrite" value="{HTTP_COOKIE};Path=/;HttpOnly;SameSite=None;secure" />
      </rule>
    </outboundRules>
  </rewrite>
</system.webServer>

But after this website is showing two ARRAffinity Cookies one with SameSite=None other with SameSite still empty.Users are also having Sign-in issues because of this. How can i fix this? If not ,then is there any other way i can set-up SameSite attribute for ARRAffinity?

分享到QQ

分享到微博