本文介绍了HttpCookie.HttpOnly属性使用MVC,如何设置为False?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述


您好,(不确定这是否是发布的正确位置)



当我们运行安全扫描时我们的网站收到错误消息"会话Cookie不包含"安全"消息属性" (这可能允许中间人攻击)

屏幕截图:https://www.screencast.com/t/1cEiBQ1Zelb



以下是使用Cookie工具时的外观。  https://www.screencast.com/t/KXZxfflN 



它显示cookie只允许超过http但我们需要它超过httpS



在我的搜索中,我找到了如何在代码中设置它的声明...与MSDN上一样,https://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly(v = vs.110 ).aspx ...

但我的开发人员告诉我"该链接不起作用。它仅适用于webforms。我们
正在使用 
mvc"



那么在使用MVC时如何解决这个问题?



谢谢你
Shane Weddle

解决方案

Hello, (Not sure if this is the right place to post)

When we run a security scan on our site we get an error of "Session Cookie Does Not Contain the "Secure" Attribute" ( This could allow a man-in-the-middle attack)
Screen Shot: https://www.screencast.com/t/1cEiBQ1Zelb

Here is how it looks when using a cookie tool.. https://www.screencast.com/t/KXZxfflN 

It shows the cookie as only allowing over http but we need it over httpS

In my searching I find statements of how its to be set in code... such as on MSDN https://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly(v=vs.110).aspx ...
But my developer tells me "That link won't work. It is only applicable to webforms. We are using mvc"

So how to fix this this when using MVC?

Thanks
Shane Weddle

解决方案


这篇关于HttpCookie.HttpOnly属性使用MVC,如何设置为False?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-30 05:46