如何保护ASP.NET_SessionId cookie？

Question

我已将.ASPXAUTH cookie设置为仅https,但我不确定如何使用ASP.NET_SessionId有效地执行相同操作.

整个站点使用HTTPS,因此cookie不需要同时使用http和https.

Answer 1

要将; secure后缀添加到Set-Cookiehttp标头,我只需使用<httpCookies>web.config中的元素:

<system.web>
  <httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>

恕我直言,比编写Anubhav Goyal文章中的代码更方便.

请参阅:http://msdn.microsoft.com/en-us/library/ms228262(v = vs.100).aspx

Answer 2

以下是Anubhav Goyal撰写的博客文章中的代码片段:

// this code will mark the forms authentication cookie and the
// session cookie as Secure.
if (Response.Cookies.Count > 0)
{
    foreach (string s in Response.Cookies.AllKeys)
    {
        if (s == FormsAuthentication.FormsCookieName || "asp.net_sessionid".Equals(s, StringComparison.InvariantCultureIgnoreCase))
        {
             Response.Cookies[s].Secure = true;
        }
    }
}

将此添加到global.asax中的EndRequest事件处理程序应该可以实现所有页面调用.

注意:建议编辑break;在成功的"安全"分配中添加语句.我已经拒绝了这个编辑,因为它只允许1个cookie被强制保护而第二个被忽略.添加计数器或其他度量标准以确定两者都已被保护并在此时断开是不可想象的.但是,使用更新的代码技术,这可能会更好地编写为:

// this code will mark the forms authentication cookie and the
// session cookie as Secure.
if (Response.Cookies.Count > 0)
{
    foreach (string s in Response.Cookies.AllKeys)
    {
        if (s == FormsAuthentication.FormsCookieName || "asp.net_sessionid".Equals(s, StringComparison.InvariantCultureIgnoreCase))
        {
             Response.Cookies[s].Secure = true;
        }
    }
}

Answer 3

使用上面的Marcel解决方案来保护Forms Authentication cookie,您还应该更新"authentication"配置元素以使用SSL

<authentication mode="Forms">
   <forms ...  requireSSL="true" />
</authentication>

其他明智的身份验证cookie将不是https

请参阅:http://msdn.microsoft.com/en-us/library/vstudio/1d3t3c61(v=vs.100).aspx

Answer 4

发现在Session_Start中设置安全属性就足够了,正如MSDN博客" 保护会话ID:ASP/ASP.NET "中的建议一样,并进行了一些扩充.

    protected void Session_Start(Object sender, EventArgs e)
    {
        SessionStateSection sessionState = 
 (SessionStateSection)ConfigurationManager.GetSection("system.web/sessionState");
        string sidCookieName = sessionState.CookieName;

        if (Request.Cookies[sidCookieName] != null)
        {
            HttpCookie sidCookie = Response.Cookies[sidCookieName];
            sidCookie.Value = Session.SessionID;
            sidCookie.HttpOnly = true;
            sidCookie.Secure = true;
            sidCookie.Path = "/";
        }
    }