我在创建HttpOnly Cookies时遇到问题,我使用以下代码创建新的Cookie:
//A.aspx
HttpCookie ht = new HttpCookie("www");
ht.Value = "www";
ht.Name = "www";
ht.HttpOnly = true;
ht.Expires = DateTime.Now.AddDays(1);
Response.AppendCookie(ht);
Response.Redirect("B.aspx");
//B.aspx
HttpCookie cookie = Request.Cookies["Allowed"];
HttpCookie htt = Request.Cookies["www"];
if (cookie != null)
{
Response.Write(cookie.HttpOnly);
Response.Write(htt.HttpOnly);
}
else
{
cookie = new HttpCookie("Allowed");
cookie.HttpOnly = true;
cookie.Value = "ping";
cookie.Expires = DateTime.Now.AddMinutes(2);
Response.Cookies.Add(cookie);
Response.Write(cookie.HttpOnly);
Response.Write(htt.HttpOnly);
}
问题是,尽管HttpOnly属性设置为
False
,但最终结果始终是True
。谁能解释给我解决这个问题的方法?
谢谢
最佳答案
Cookie参数(有效期,路径,HttpOnly等)不会由浏览器发送回服务器,而只会发送回值。送回他们只会带来不必要的膨胀。因此,Request.Cookies
中的cookie仅包含名称和值。
如果要查看HttpOnly值是否正在生效,请使用Firecookie或类似的方法检查cookie。或尝试使用JavaScript访问它们-这是应该防止的。