我已将.ASPXAUTH cookie设置为仅https,但我不确定如何使用ASP.NET_SessionId有效地执行相同操作.
整个站点使用HTTPS,因此cookie不需要同时使用http和https.
我找到了许多将HttpOnly添加到我的cookie中的例子,但它对我不起作用,我不知道为什么.我发现的所有例子都是一样的,我从我找到的一个帖子中复制了这个例子.我在IIS 7.0下使用.NET 3.5.希望有人可以告诉我我做错了什么?谢谢
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
UPDATE
我想出了如何打开跟踪,发现preCondition正在查看所有cookie,而不是每个cookie.
所以不要评估
Set-Cookie: myC5=we have S Cookie; path=/; secure
Set-Cookie: myC6=we have S Cookie; path=/; secure
Set-Cookie: myC7=we have S Cookie; path=/; secure; HttpOnly
正在评估中
myC5=we have S Cookie; path=/; secure,myC6=we have S Cookie; path=/; secure,myC7=we have S …