Is there a way to mark classic ASP ASPSESSIONID* cookies as secure? It appears that the ASP ISAPI handler adds that session id cookie after my page is done rendering so putting code at the end of my page to loop through the Response.Cookie collection and mark them as secure doesn't seem to touch the ASPSESSIONID* cookie. Any other way of doing this?
有没有办法将经典ASP ASPSESSIONID * cookie标记为安全?在我的页面完成渲染后,ASP ISAPI处理程序似乎添加了会话ID cookie,因此将代码放在我的页面末尾以循环遍历Response.Cookie集合并将它们标记为安全似乎没有触及ASPSESSIONID * cookie 。这样做的其他任何方式?
4 个解决方案
#1
The answer is no there isn't
There isn't on the standard UI provided by IIS manager. However, you can enable secure cookies for the SessionID via the AspKeepSessionIDSecure Metabase value
答案是否定没有IIS管理器提供的标准UI上没有。但是,您可以通过AspKeepSessionIDSecure Metabase值为SessionID启用安全cookie
#2
I run this command:
CSCRIPT C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/1/AspKeepSessionIDSecure 1
More information here: http://blogs.msdn.com/b/rahulso/archive/2007/06/19/cookies-case-study-with-ssl-and-frames-classic-asp.aspx
我运行此命令:CSCRIPT C:\ Inetpub \ AdminScripts \ adsutil.vbs set w3svc / 1 / AspKeepSessionIDSecure 1更多信息请访问:http://blogs.msdn.com/b/rahulso/archive/2007/06/19/cookies - 案例学习 - 与-SSL-和帧经典,asp.aspx
#3
[Edit: You can ignore the following. I just realized that you were talking about ASPSESSIONID.}
[编辑:您可以忽略以下内容。我刚刚意识到你在谈论ASPSESSIONID。}
There is built-in support for secure cookies.
内置支持安全cookie。
See http://msdn.microsoft.com/en-us/library/ms524757.aspx
Example (for ASP.Net, not Classic ASP):
示例(对于ASP.Net,而不是经典ASP):
Response.Cookies("setSecure") = "someValue"
Response.Cookies("setSecure").Secure = true
#4
As found here, an UrlRewrite rule can handle this.
如此处所示,UrlRewrite规则可以处理此问题。
The rules below handle it for adding both HttpOnly and Secure if they are missing on the ASPSESSIONID cookie. (For other cookies, normally they are emitted by the site ASP code: better handle that directly in the code responsible for them.)
如果在ASPSESSIONID cookie上缺少HttpOnly和Secure,则下面的规则会处理它。 (对于其他cookie,通常它们由站点ASP代码发出:更好地直接在负责它们的代码中处理。)
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern="\s*ASPSESSIONID.*" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
</rule>
<rule name="Add Secure" preCondition="No Secure">
<match serverVariable="RESPONSE_Set_Cookie" pattern="\s*ASPSESSIONID.*" />
<action type="Rewrite" value="{R:0}; Secure" />
<conditions>
<add input="{HTTP_HOST}" pattern="localhost" negate="true" />
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
<preCondition name="No Secure" logicalGrouping="MatchAll">
<add input="{RESPONSE_Set_Cookie}" pattern="; Secure" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
If UrlRewrite is not installed in the IIS Server, this will crash the site.
如果IIS服务器中未安装UrlRewrite,则会导致站点崩溃。
Note that the Secure rule should not be applied if the site is legitimately accessed over http instead of https, thus the condition for not emitting it when browsing it locally. If Secure is emitted for a site accessed over http from the client end, the client will not send the cookie back to the server.
请注意,如果通过http而不是https合法访问站点,则不应应用安全规则,因此在本地浏览时不发出该条件的条件。如果从客户端通过http访问的站点发出安全,则客户端不会将cookie发送回服务器。
(I avoid testing the inbound protocol, because the sites I work on are not supposed to be accessed on http anyway, excepted eventually directly from their hosting server or load-balancer.)
(我避免测试入站协议,因为我工作的站点不应该在http*问,最终直接来自他们的托管服务器或负载均衡器。)
I have previously tried using asp/session/keepSessionIdSecure, but it has no effect (at least for a site behind a load-balancer terminating the https and accessing the site server over http). This setting is the modern version (IIS 7+) of the AspKeepSessionIDSecure Metabase value pointed by AnthonyWJones answer.
我之前尝试过使用asp / session / keepSessionIdSecure,但它没有任何效果(至少对于负载平衡器后面的网站终止https并通过http访问站点服务器)。此设置是AnthonyWJones回答指出的AspKeepSessionIDSecure Metabase值的现代版本(IIS 7+)。
#1
The answer is no there isn't
There isn't on the standard UI provided by IIS manager. However, you can enable secure cookies for the SessionID via the AspKeepSessionIDSecure Metabase value
答案是否定没有IIS管理器提供的标准UI上没有。但是,您可以通过AspKeepSessionIDSecure Metabase值为SessionID启用安全cookie
#2
I run this command:
CSCRIPT C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/1/AspKeepSessionIDSecure 1
More information here: http://blogs.msdn.com/b/rahulso/archive/2007/06/19/cookies-case-study-with-ssl-and-frames-classic-asp.aspx
我运行此命令:CSCRIPT C:\ Inetpub \ AdminScripts \ adsutil.vbs set w3svc / 1 / AspKeepSessionIDSecure 1更多信息请访问:http://blogs.msdn.com/b/rahulso/archive/2007/06/19/cookies - 案例学习 - 与-SSL-和帧经典,asp.aspx
#3
[Edit: You can ignore the following. I just realized that you were talking about ASPSESSIONID.}
[编辑:您可以忽略以下内容。我刚刚意识到你在谈论ASPSESSIONID。}
There is built-in support for secure cookies.
内置支持安全cookie。
See http://msdn.microsoft.com/en-us/library/ms524757.aspx
Example (for ASP.Net, not Classic ASP):
示例(对于ASP.Net,而不是经典ASP):
Response.Cookies("setSecure") = "someValue"
Response.Cookies("setSecure").Secure = true
#4
As found here, an UrlRewrite rule can handle this.
如此处所示,UrlRewrite规则可以处理此问题。
The rules below handle it for adding both HttpOnly and Secure if they are missing on the ASPSESSIONID cookie. (For other cookies, normally they are emitted by the site ASP code: better handle that directly in the code responsible for them.)
如果在ASPSESSIONID cookie上缺少HttpOnly和Secure,则下面的规则会处理它。 (对于其他cookie,通常它们由站点ASP代码发出:更好地直接在负责它们的代码中处理。)
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern="\s*ASPSESSIONID.*" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
</rule>
<rule name="Add Secure" preCondition="No Secure">
<match serverVariable="RESPONSE_Set_Cookie" pattern="\s*ASPSESSIONID.*" />
<action type="Rewrite" value="{R:0}; Secure" />
<conditions>
<add input="{HTTP_HOST}" pattern="localhost" negate="true" />
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
<preCondition name="No Secure" logicalGrouping="MatchAll">
<add input="{RESPONSE_Set_Cookie}" pattern="; Secure" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
If UrlRewrite is not installed in the IIS Server, this will crash the site.
如果IIS服务器中未安装UrlRewrite,则会导致站点崩溃。
Note that the Secure rule should not be applied if the site is legitimately accessed over http instead of https, thus the condition for not emitting it when browsing it locally. If Secure is emitted for a site accessed over http from the client end, the client will not send the cookie back to the server.
请注意,如果通过http而不是https合法访问站点,则不应应用安全规则,因此在本地浏览时不发出该条件的条件。如果从客户端通过http访问的站点发出安全,则客户端不会将cookie发送回服务器。
(I avoid testing the inbound protocol, because the sites I work on are not supposed to be accessed on http anyway, excepted eventually directly from their hosting server or load-balancer.)
(我避免测试入站协议,因为我工作的站点不应该在http*问,最终直接来自他们的托管服务器或负载均衡器。)
I have previously tried using asp/session/keepSessionIdSecure, but it has no effect (at least for a site behind a load-balancer terminating the https and accessing the site server over http). This setting is the modern version (IIS 7+) of the AspKeepSessionIDSecure Metabase value pointed by AnthonyWJones answer.
我之前尝试过使用asp / session / keepSessionIdSecure,但它没有任何效果(至少对于负载平衡器后面的网站终止https并通过http访问站点服务器)。此设置是AnthonyWJones回答指出的AspKeepSessionIDSecure Metabase值的现代版本(IIS 7+)。