如何为ASP.NET_SessionId cookie设置HttpOnly？

In my web project setting to turn on httpOnlyCookies is not there. It is false by default. Also there is no place in code where cookie is being set to HttpOnly. However, when I browse to the site I can see that ASP.NET_Session cookie is being passed as HttpOnly. How is it set to HttpOnly?

在我的Web项目设置中打开httpOnlyCookies不存在。默认情况下它是假的。此外,代码中没有将cookie设置为HttpOnly的地方。但是,当我浏览到该站点时,我可以看到ASP.NET_Session cookie正在作为HttpOnly传递。怎么设置为HttpOnly?

2 个解决方案

#1

ASP.NET session cookies are HTTP only, regardless of the httpOnlyCookies setting linked to in your question, because this is burned into ASP.NET. You can't override this.

ASP.NET会话cookie仅限HTTP,无论您的问题中链接的httpOnlyCookies设置如何,因为它被刻录到ASP.NET中。你无法覆盖它。

If you dig into the System.Web.SessionState.SessionIDManager class in the System.Web assembly the code for creating the ASP.NET session cookie looks like:

如果深入了解System.Web程序集中的System.Web.SessionState.SessionIDManager类,则创建ASP.NET会话cookie的代码如下所示:

private static HttpCookie CreateSessionCookie(string id)
{
    HttpCookie cookie = new HttpCookie(Config.CookieName, id);
    cookie.Path = "/";
    cookie.HttpOnly = true;   // <-- burned in
    return cookie;
}

#2

It is HttpOnly so your session cookie cannot be modified by the client with JavaScript.

它是HttpOnly所以客户端使用JavaScript无法修改您的会话cookie。

#1