ASP MVC 3 cookie丢失了HttpOnly和Secure标志

时间:2022-01-22 01:41:27

I am setting cookies as part of my mvc application:

我将cookie设置为我的mvc应用程序的一部分:

var cookie = new HttpCookie(CookieName, encryptedData)
            {
                Path = FormsAuthentication.FormsCookiePath,
                Domain = CookieDomain,
                Expires = authenticationTicket.Expiration,
                HttpOnly = true,
                Secure = IsSecure // true
            };
            response.Cookies.Add(cookie);

Now if I debug I see that its all working fine, no problems and its added and thats fine too. However for some reason when it actually reaches the browser there is no HttpOnly flag or Secure flag set. So im a bit baffled...

现在,如果我调试我发现它一切正常,没有问题,它添加了也很好。但是由于某种原因,当它实际到达浏览器时,没有设置HttpOnly标志或安全标志。所以我有点困惑......

I have tried setting the HttpOnly and Secure flags in the cookie web.config entry under System.Web:

我已经尝试在System.Web下的cookie web.config条目中设置HttpOnly和Secure标志:

<httpCookies httpOnlyCookies="true" requireSSL="true" />

Now here is how the response looks when the browser receives it:

现在,这是浏览器收到响应时的响应方式:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Max-Age: 10000
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type, x-requested-with, *
Access-Control-Allow-Origin: http://localhost:34567
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
Set-Cookie: myCookie=53BA8AF84835A81E014B9174329D8543FBB6029B71C463C6FC1305D9F966F28EAA058FE103325C0F10A3012480FB0EF3F6C0BAC4703A6A6B725F383ADA35A5C125A0438FC42CADCB0DAB77953C967E6660E51C4113C6545220A0C2F86230F446D159D523BBE9CA4D9419A67BC44D23B9C4D0974DF2ED66C47EA7308D8E42E1C2280EA6059A23303E3BCBDF28F6BD4A3DFA92FFAB33DDAC8EC05D99310D26FBD6310252156CD28B89386B0D483D6D2E295EF33487E64468655371CC446E0B5DDBF12B3AA8218AF1FA929A98638A1AC729BA60815B86EAD9624ED1787172B585BE4E457C3568AB6EAAF4865E8468D04336FA7340AAC1BA75162FB322D436DC9BF50466F2F0FB3464ECF41C6C1F7001639DFE2AB2AD9CBFB65A292FE5FA42783DF331AA4641432647BA9672FE6D4C15F830E4DF8B38605852BCB15E5B01B862D966E2FD1D620730312982DB8AB4CE5EE0D0E40E6C3F5234DE5EBFA594036D912F07C3798ED429A2552AD6C4B9EC10B90749850CBDEC97F0BF7E2E43CB3991608C5D533B6EA9F8D0A7AD949B42CD3BAA13DEE99C330121B3D868B412A3435FA01C7F223641CFE441A2E07F5DFB8B23F053CBA13F5E1262A07FBFD4EC4BADF9BD5898; expires=Wed, 27-Feb-2013 19:15:24 GMT; path=/
Date: Wed, 27 Feb 2013 18:45:24 GMT
Content-Length: 2

So am I missing something here? or is there something that I am not setting somewhere that I should be? I am also using CORS because this cookie is issued from a webserver as an authentication mechanism. SSL is enabled and is also being used via https for calls. Even if I turn secure cookies off and use http, the HTTPOnly flag is not being set either, so I am baffled.

我在这里错过了一些东西吗?或者有什么东西我没有设置在我应该的地方吗?我也在使用CORS,因为这个cookie是作为身份验证机制从Web服务器发出的。 SSL已启用,并且还通过https用于呼叫。即使我关闭安全cookie并使用http,HTTPOnly标志也没有被设置,所以我很困惑。

=== Update ===

===更新===

Having double checked it appears I misinformed you, the HttpOnly response is sent down from the server correctly on the first time you receive the cookie, HOWEVER! when an ajax call then sends the cookie to the server it seems to not add the httponly flag, which then means the cookie being thrown around is no longer as secure. The secure part of the cookie is not sent down on the first response, but at least this adds a bit more context to it all.

经过双重检查后,我误解了您,HttpOnly响应会在您第一次收到cookie时从服务器正确发送,但是!当一个ajax调用然后将cookie发送到服务器时,它似乎没有添加httponly标志,这意味着被抛出的cookie不再是安全的。 cookie的安全部分不会在第一个响应中发送,但至少这会为它添加更多的上下文。

2 个解决方案

#1


10  

Try this, looks like a similar issue. (How can I set the Secure flag on an ASP.NET Session Cookie?)

试试这个,看起来像一个类似的问题。 (如何在ASP.NET会话Cookie上设置安全标志?)

In the <system.web> element, add the following element:

元素中,添加以下元素:

<httpCookies requireSSL="true" />

However, if you have a <forms> element in your system.web\authentication block, then this will override the setting in httpCookies, setting it back to the default false.

但是,如果system.web \ authentication块中有 元素,则会覆盖httpCookies中的设置,将其设置回默认值false。

In that case, you need to add the requireSSL="true" attribute to the forms element as well.

在这种情况下,您还需要将requiresSSL =“true”属性添加到forms元素。

So you will end up with:

所以你最终会得到:

<system.web>
  <authentication mode="Forms">
    <forms requireSSL="true">
        /* forms content */
    </forms>
  </authentication>
</system.web>

#2


2  

It seems like this is all correct behaviour, I wrote another question specifically about the httponly client cookie behaviour, and that led to another post... what a rabbit hole.

看起来这是所有正确的行为,我专门写了另一个关于httponly客户端cookie行为的问题,这导致另一个帖子......什么是兔子洞。

What should be the correct behaviour of browser when sending and receiving httponly cookie via ajax?

通过ajax发送和接收httponly cookie时,浏览器的正确行为应该是什么?

Anyway that seems to indicate the server needs to keep tampering with the cookie to add the HttpOnly behaviour.

无论如何,似乎表明服务器需要继续篡改cookie以添加HttpOnly行为。

I have made a custom httpmodule which will check for the cookie in question and re-apply the desired behaviour to the cookie (based on configurations from the web.config)

我已经制作了一个自定义的httpmodule,它将检查有问题的cookie并将所需的行为重新应用到cookie中(基于web.config中的配置)

#1


10  

Try this, looks like a similar issue. (How can I set the Secure flag on an ASP.NET Session Cookie?)

试试这个,看起来像一个类似的问题。 (如何在ASP.NET会话Cookie上设置安全标志?)

In the <system.web> element, add the following element:

元素中,添加以下元素:

<httpCookies requireSSL="true" />

However, if you have a <forms> element in your system.web\authentication block, then this will override the setting in httpCookies, setting it back to the default false.

但是,如果system.web \ authentication块中有 元素,则会覆盖httpCookies中的设置,将其设置回默认值false。

In that case, you need to add the requireSSL="true" attribute to the forms element as well.

在这种情况下,您还需要将requiresSSL =“true”属性添加到forms元素。

So you will end up with:

所以你最终会得到:

<system.web>
  <authentication mode="Forms">
    <forms requireSSL="true">
        /* forms content */
    </forms>
  </authentication>
</system.web>

#2


2  

It seems like this is all correct behaviour, I wrote another question specifically about the httponly client cookie behaviour, and that led to another post... what a rabbit hole.

看起来这是所有正确的行为,我专门写了另一个关于httponly客户端cookie行为的问题,这导致另一个帖子......什么是兔子洞。

What should be the correct behaviour of browser when sending and receiving httponly cookie via ajax?

通过ajax发送和接收httponly cookie时,浏览器的正确行为应该是什么?

Anyway that seems to indicate the server needs to keep tampering with the cookie to add the HttpOnly behaviour.

无论如何,似乎表明服务器需要继续篡改cookie以添加HttpOnly行为。

I have made a custom httpmodule which will check for the cookie in question and re-apply the desired behaviour to the cookie (based on configurations from the web.config)

我已经制作了一个自定义的httpmodule,它将检查有问题的cookie并将所需的行为重新应用到cookie中(基于web.config中的配置)