I am writing a "Remember My Username" Cookie that expires in a custom duration of time e.g. one month. I noticed that when I add HttpOnly = true, the expiration changes to session. Why is this? I can't seem to find any documentation on why this would happen.
我正在编写一个“记住我的用户名”Cookie,该Cookie会在自定义的持续时间内到期,例如一个月。我注意到当我添加HttpOnly = true时,到期会更改为session。为什么是这样?我似乎无法找到有关为什么会发生这种情况的任何文档。
Thanks.
2 个解决方案
#1
1
Here is the documentation.
这是文档。
true if the cookie has the HttpOnly attribute and cannot be accessed through a client-side script; otherwise, false. The default is false.
如果cookie具有HttpOnly属性且无法通过客户端脚本访问,则为true;否则为false。否则,是的。默认值为false。
Basically, it becomes a session variable because it will only be stored on the server due to your setting
基本上,它变成了一个会话变量,因为它只会因你的设置而存储在服务器上
#2
0
I'm adding the following code: Also, now I'm getting a different behaviors than the Title. I'm running this locally against the VS2010 built-in server. It seems to show inconsistent behaviors. I would move the HttpOnly = true before the Expires and after it and it seemed to change behavior until I refreshed the browser page. So, I am assuming everything was fine and never had an issue. In addition, I am moving HttpOnly and Secure flags to the web.config because not all my environments have SSL.
我正在添加以下代码:此外,现在我的行为与标题不同。我在本地针对VS2010内置服务器运行。它似乎表现出不一致的行为。我会在Expires之前和之后移动HttpOnly = true,它似乎改变了行为,直到刷新浏览器页面。所以,我假设一切都很好,从来没有问题。另外,我正在将HttpOnly和Secure标志移动到web.config,因为并非所有环境都有SSL。
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket
(strUserID, //name
false, //IsPersistent
24 * 60); // 24 hours
// Encrypt the ticket.
string encryTicket = FormsAuthentication.Encrypt(ticket);
// Create the cookie.
HttpCookie userCookie = new HttpCookie("Authentication", encryTicket);
userCookie.HttpOnly = true;
Response.Cookies.Add(userCookie);
e.Authenticated = true;
if (LoginPannelMain.RememberMeSet)
{
HttpCookie aCookie = new HttpCookie("email", strUserLogin);
aCookie.HttpOnly = true;
aCookie.Expires = DateTime.Now.AddYears(1);
Response.AppendCookie(aCookie);
}
else
{
HttpCookie aCookie = new HttpCookie("email", "");
aCookie.HttpOnly = true;
Response.AppendCookie(aCookie);
}
#1
1
Here is the documentation.
这是文档。
true if the cookie has the HttpOnly attribute and cannot be accessed through a client-side script; otherwise, false. The default is false.
如果cookie具有HttpOnly属性且无法通过客户端脚本访问,则为true;否则为false。否则,是的。默认值为false。
Basically, it becomes a session variable because it will only be stored on the server due to your setting
基本上,它变成了一个会话变量,因为它只会因你的设置而存储在服务器上
#2
0
I'm adding the following code: Also, now I'm getting a different behaviors than the Title. I'm running this locally against the VS2010 built-in server. It seems to show inconsistent behaviors. I would move the HttpOnly = true before the Expires and after it and it seemed to change behavior until I refreshed the browser page. So, I am assuming everything was fine and never had an issue. In addition, I am moving HttpOnly and Secure flags to the web.config because not all my environments have SSL.
我正在添加以下代码:此外,现在我的行为与标题不同。我在本地针对VS2010内置服务器运行。它似乎表现出不一致的行为。我会在Expires之前和之后移动HttpOnly = true,它似乎改变了行为,直到刷新浏览器页面。所以,我假设一切都很好,从来没有问题。另外,我正在将HttpOnly和Secure标志移动到web.config,因为并非所有环境都有SSL。
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket
(strUserID, //name
false, //IsPersistent
24 * 60); // 24 hours
// Encrypt the ticket.
string encryTicket = FormsAuthentication.Encrypt(ticket);
// Create the cookie.
HttpCookie userCookie = new HttpCookie("Authentication", encryTicket);
userCookie.HttpOnly = true;
Response.Cookies.Add(userCookie);
e.Authenticated = true;
if (LoginPannelMain.RememberMeSet)
{
HttpCookie aCookie = new HttpCookie("email", strUserLogin);
aCookie.HttpOnly = true;
aCookie.Expires = DateTime.Now.AddYears(1);
Response.AppendCookie(aCookie);
}
else
{
HttpCookie aCookie = new HttpCookie("email", "");
aCookie.HttpOnly = true;
Response.AppendCookie(aCookie);
}