我有一个asp经典网站,我想将httponly设置为启用cookie ASPSESSIONIDxxxx,我在general.asp文件中应用了这个,该文件在网站加载时被调用:
AspSessionCookie = Request.ServerVariables("HTTP_COOKIE")
' Split the cookies by the semicolon delimiter
cookies = Split(AspSessionCookie, ";")
' Loop through cookies again to find the ASPSESSIONID and set it with HttpOnly
For i = 0 To UBound(cookies)
If InStr(cookies(i), "ASPSESSIONID") > 0 Then
' Extract the ASPSESSIONID cookie value
Dim cookieValue
cookieParts = Split(cookies(i), "=")
cookieName = Trim(cookieParts(0))
cookieValue = Trim(cookieParts(1))
' Set the ASPSESSIONID cookie with HttpOnly attribute
Response.AddHeader "Set-Cookie", cookieName & "=" & cookieValue & "; HttpOnly"
Exit For
End If
Next
代码可以工作,但是当我检查网络应用程序时,我现在有 2 个 cookie,即我的网站的 cookie,其 URL 为“/mysite”,启用了 httponly,另一个 cookie 具有完全相同的名称和值,但 URL 为“ /”并且 httponly 被禁用,我的问题仍然有效,我的代码以避免网站黑客攻击,或者我需要继续研究更好的解决方案?
客户端脚本可以访问非 http-cookies,这违背了设置
HttpOnlyHttpOnlySecure因此,为了保护 cookie 和站点,您可以使用以下 iis url 重写规则,它将帮助您设置 Secure 和 HttpOnly 标志:
<rewrite>
<outboundRules>
<rule name="Use only secure cookies" preCondition="Unsecured cookie">
<match serverVariable="RESPONSE_SET_COOKIE" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; secure" />
</rule>
<preConditions>
<preCondition name="Unsecured cookie">
<add input="{RESPONSE_SET_COOKIE}" pattern="." />
<add input="{RESPONSE_SET_COOKIE}" pattern="; secure" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>