问题描述

在我的web项目是不存在。它默认为false。也有是在饼干被设置为仅Http code没有立足之地。但是，当我浏览到该网站，我可以看到ASP.NET_Session的cookie被作为仅Http通过。它是如何设置的HttpOnly？

In my web project setting to turn on httpOnlyCookies is not there. It is false by default. Also there is no place in code where cookie is being set to HttpOnly. However, when I browse to the site I can see that ASP.NET_Session cookie is being passed as HttpOnly. How is it set to HttpOnly?

推荐答案

ASP.NET会话cookie是HTTP只是，无论 httpOnlyCookies 设置链接到你的问题，因为这是烧入ASP.NET。你不能覆盖这一点。

ASP.NET session cookies are HTTP only, regardless of the httpOnlyCookies setting linked to in your question, because this is burned into ASP.NET. You can't override this.

如果你深入到 System.Web.SessionState.SessionIDManager 类System.Web程序集的code用于创建ASP.NET会话cookie看起来像

If you dig into the System.Web.SessionState.SessionIDManager class in the System.Web assembly the code for creating the ASP.NET session cookie looks like:

private static HttpCookie CreateSessionCookie(string id)
{
    HttpCookie cookie = new HttpCookie(Config.CookieName, id);
    cookie.Path = "/";
    cookie.HttpOnly = true;   // <-- burned in
    return cookie;
}

这篇关于如何获得的HttpOnly设置ASP.NET_SessionId的cookie？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！