blocks|key|685191|text|如果整个站点都使用HTTPS，那么您的sessionId+cookie至少和HTTPS加密一样安全。这是因为cookies作为HTTP标头发送，并且在使用SSL时，HTTP标头在传输时使用SSL进行加密。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|685192|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

<p>If the entire site uses HTTPS, your sessionId cookie is as secure as the HTTPS encryption at the very least. This is because cookies are sent as HTTP headers, and when using SSL, the HTTP headers are encrypted using the SSL when being transmitted.</p>


blocks|key|901780|text|下面是摘自blog+article+written+by+Anubhav+Goyal的代码片段|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|901781|//+this+code+will+mark+the+forms+authentication+cookie+and+the
//+session+cookie+as+Secure.
if+(Response.Cookies.Count+>+0)
{
++++foreach+(string+s+in+Response.Cookies.AllKeys)
++++{
++++++++if+(s+==+FormsAuthentication.FormsCookieName+%7C%7C+"asp.net_sessionid".Equals(s,+StringComparison.InvariantCultureIgnoreCase))
++++++++{
+++++++++++++Response.Cookies[s].Secure+=+true;
++++++++}
++++}
}|code-block|syntax|javascript|901782|将它添加到global.asax中的EndRequest事件处理程序应该会使所有页面调用都发生这种情况。|901783|注意:建议进行编辑，以便在成功的“安全”赋值中添加break;语句。我拒绝了这个编辑，因为它只允许强制保护1个cookie，而忽略第二个cookie。添加计数器或一些其他度量来确定两者都已被保护并在该点上中断并不是不可能的。|style|CODE|901784|entityMap|0|LINK|mutability|MUTABLE|url|http://anubhavg.wordpress.com/2008/02/05/how-to-mark-session-cookie-secure/^0|5|11|0|0|0|0|P|6|0^^$0|@$1|2|3|4|5|6|7|W|8|@]|9|@$A|X|B|Y|1|Z]]|C|$]]|$1|D|3|E|5|F|7|10|8|@]|9|@]|C|$G|H]]|$1|I|3|J|5|6|7|11|8|@]|9|@]|C|$]]|$1|K|3|L|5|6|7|12|8|@$A|13|B|14|M|N]]|9|@]|C|$]]|$1|O|3|-4|5|6|7|15|8|@]|9|@]|C|$]]]|P|$Q|$5|R|S|T|C|$U|V]]]]

<p>Here is a code snippet taken from a <a href="http://anubhavg.wordpress.com/2008/02/05/how-to-mark-session-cookie-secure/" rel="noreferrer">blog article written by Anubhav Goyal</a>:</p>

<pre><code>// this code will mark the forms authentication cookie and the
// session cookie as Secure.
if (Response.Cookies.Count &gt; 0)
{
    foreach (string s in Response.Cookies.AllKeys)
    {
        if (s == FormsAuthentication.FormsCookieName || "asp.net_sessionid".Equals(s, StringComparison.InvariantCultureIgnoreCase))
        {
             Response.Cookies[s].Secure = true;
        }
    }
}
</code></pre>

<p>Adding this to the EndRequest event handler in the global.asax should make this happen for all page calls.</p>

<p>Note: An edit was proposed to add a <code>break;</code> statement inside a successful "secure" assignment. I've rejected this edit based on the idea that it would only allow 1 of the cookies to be forced to secure and the second would be ignored. It is not inconceivable to add a counter  or some other metric to determine that both have been secured and to break at that point.</p>


blocks|key|685338|text|要将;+secure后缀添加到Set-Cookie+http标头，我只需在web.config中使用<httpCookies>元素：|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|685339|<system.web>
++<httpCookies+httpOnlyCookies="true"+requireSSL="true"+/>
</system.web>|code-block|syntax|javascript|685340|我比在Anubhav+Goyal的文章中写代码要方便得多。|685341|请参阅：http://msdn.microsoft.com/en-us/library/ms228262(v=vs.100).aspx|685342|entityMap|0|LINK|mutability|MUTABLE|url|http://msdn.microsoft.com/en-us/library/ms228262(v=vs.100).aspx^0|2|8|F|A|1E|D|0|0|0|4|1R|0|0^^$0|@$1|2|3|4|5|6|7|W|8|@$9|X|A|Y|B|C]|$9|Z|A|10|B|C]|$9|11|A|12|B|C]]|D|@]|E|$]]|$1|F|3|G|5|H|7|13|8|@]|D|@]|E|$I|J]]|$1|K|3|L|5|6|7|14|8|@]|D|@]|E|$]]|$1|M|3|N|5|6|7|15|8|@]|D|@$9|16|A|17|1|18]]|E|$]]|$1|O|3|-4|5|6|7|19|8|@]|D|@]|E|$]]]|P|$Q|$5|R|S|T|E|$U|V]]]]

<p>To add the <code>; secure</code> suffix to the <code>Set-Cookie</code> http header I simply used the <code>&lt;httpCookies&gt;</code> element in the web.config:</p>

<pre><code>&lt;system.web&gt;
  &lt;httpCookies httpOnlyCookies="true" requireSSL="true" /&gt;
&lt;/system.web&gt;
</code></pre>

<p>IMHO much more handy than writing code as in the article of Anubhav Goyal. </p>

<p>See: <a href="http://msdn.microsoft.com/en-us/library/ms228262(v=vs.100).aspx" rel="noreferrer">http://msdn.microsoft.com/en-us/library/ms228262(v=vs.100).aspx</a></p>


blocks|key|901872|text|按照上面Marcel的解决方案来保护Forms+Authentication+cookie，您还应该更新"authentication“配置元素以使用SSL|type|unstyled|depth|inlineStyleRanges|entityRanges|data|901873|<authentication+mode="Forms">
+++<forms+...++requireSSL="true"+/>
</authentication>|code-block|syntax|javascript|901874|否则，身份验证cookie将不是https|901875|请参阅：http://msdn.microsoft.com/en-us/library/vstudio/1d3t3c61(v=vs.100).aspx|offset|length|901876|entityMap|0|LINK|mutability|MUTABLE|url|http://msdn.microsoft.com/en-us/library/vstudio/1d3t3c61(v=vs.100).aspx^0|0|0|0|4|1Z|0|0^^$0|@$1|2|3|4|5|6|7|U|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|V|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|W|8|@]|9|@]|A|$]]|$1|I|3|J|5|6|7|X|8|@]|9|@$K|Y|L|Z|1|10]]|A|$]]|$1|M|3|-4|5|6|7|11|8|@]|9|@]|A|$]]]|N|$O|$5|P|Q|R|A|$S|T]]]]

<p>Going with Marcel's solution above to secure Forms Authentication cookie you should also update "authentication" config element to use SSL</p>

<pre><code>&lt;authentication mode="Forms"&gt;
   &lt;forms ...  requireSSL="true" /&gt;
&lt;/authentication&gt;
</code></pre>

<p>Other wise authentication cookie will not be https</p>

<p>See: <a href="http://msdn.microsoft.com/en-us/library/vstudio/1d3t3c61(v=vs.100).aspx">http://msdn.microsoft.com/en-us/library/vstudio/1d3t3c61(v=vs.100).aspx</a></p>


blocks|key|901916|text|发现在Session_Start中设置secure属性就足够了，正如MSDN+blog+"Securing+Session+ID:+ASP/ASP.NET“中所建议的那样，并进行了一些增强。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|901917|++++protected+void+Session_Start(Object+sender,+EventArgs+e)
++++{
++++++++SessionStateSection+sessionState+=+
+(SessionStateSection)ConfigurationManager.GetSection("system.web/sessionState");
++++++++string+sidCookieName+=+sessionState.CookieName;

++++++++if+(Request.Cookies[sidCookieName]+!=+null)
++++++++{
++++++++++++HttpCookie+sidCookie+=+Response.Cookies[sidCookieName];
++++++++++++sidCookie.Value+=+Session.SessionID;
++++++++++++sidCookie.HttpOnly+=+true;
++++++++++++sidCookie.Secure+=+true;
++++++++++++sidCookie.Path+=+"/";
++++++++}
++++}|code-block|syntax|javascript|901918|entityMap|0|LINK|mutability|MUTABLE|url|http://blogs.msdn.com/b/jaskis/archive/2009/12/23/securing-session-id-asp-asp-net.aspx^0|19|W|0|0|0^^$0|@$1|2|3|4|5|6|7|Q|8|@]|9|@$A|R|B|S|1|T]]|C|$]]|$1|D|3|E|5|F|7|U|8|@]|9|@]|C|$G|H]]|$1|I|3|-4|5|6|7|V|8|@]|9|@]|C|$]]]|J|$K|$5|L|M|N|C|$O|P]]]]

<p>Found that setting the secure property in Session_Start is sufficient, as recommended in MSDN blog "<a href="http://blogs.msdn.com/b/jaskis/archive/2009/12/23/securing-session-id-asp-asp-net.aspx">Securing Session ID: ASP/ASP.NET</a>" with some augmentation.</p>

<pre><code>    protected void Session_Start(Object sender, EventArgs e)
    {
        SessionStateSection sessionState = 
 (SessionStateSection)ConfigurationManager.GetSection("system.web/sessionState");
        string sidCookieName = sessionState.CookieName;

        if (Request.Cookies[sidCookieName] != null)
        {
            HttpCookie sidCookie = Response.Cookies[sidCookieName];
            sidCookie.Value = Session.SessionID;
            sidCookie.HttpOnly = true;
            sidCookie.Secure = true;
            sidCookie.Path = "/";
        }
    }
</code></pre>


blocks|key|685483|text|添加到@JoelEtherton的解决方案中，以修复新发现的安全漏洞。如果用户请求HTTP并重定向到HTTPS，但在第一次请求HTTP时将sessionid+cookie设置为安全，则会出现此漏洞。根据McAfee+Secure的说法，这现在是一个安全漏洞。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|685484|此代码仅在请求使用HTTPS时才会保护cookies。如果不是HTTPS，它将使sessionid+cookie过期。|685485|++++//+this+code+will+mark+the+forms+authentication+cookie+and+the
++++//+session+cookie+as+Secure.
++++if+(Request.IsSecureConnection)
++++{
++++++++if+(Response.Cookies.Count+>+0)
++++++++{
++++++++++++foreach+(string+s+in+Response.Cookies.AllKeys)
++++++++++++{
++++++++++++++++if+(s+==+FormsAuthentication.FormsCookieName+%7C%7C+s.ToLower()+==+"asp.net_sessionid")
++++++++++++++++{
++++++++++++++++++++Response.Cookies[s].Secure+=+true;
++++++++++++++++}
++++++++++++}
++++++++}
++++}
++++else
++++{
++++++++//if+not+secure,+then+don't+set+session+cookie
++++++++Response.Cookies["asp.net_sessionid"].Value+=+string.Empty;
++++++++Response.Cookies["asp.net_sessionid"].Expires+=+new+DateTime(2018,+01,+01);
++++}|code-block|syntax|javascript|685486|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|K|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|L|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|M|8|@]|9|@]|A|$G|H]]|$1|I|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|J|$]]

<p>Adding onto @JoelEtherton's solution to fix a newly found security vulnerability. This vulnerability happens if users request HTTP and are redirected to HTTPS, but the sessionid cookie is set as secure on the first request to HTTP.  That is now a security vulnerability, according to McAfee Secure.</p>

<p>This code will only secure cookies if request is using HTTPS.  It will expire the sessionid cookie, if not HTTPS.  </p>

<pre><code>    // this code will mark the forms authentication cookie and the
    // session cookie as Secure.
    if (Request.IsSecureConnection)
    {
        if (Response.Cookies.Count &gt; 0)
        {
            foreach (string s in Response.Cookies.AllKeys)
            {
                if (s == FormsAuthentication.FormsCookieName || s.ToLower() == "asp.net_sessionid")
                {
                    Response.Cookies[s].Secure = true;
                }
            }
        }
    }
    else
    {
        //if not secure, then don't set session cookie
        Response.Cookies["asp.net_sessionid"].Value = string.Empty;
        Response.Cookies["asp.net_sessionid"].Expires = new DateTime(2018, 01, 01);
    }
</code></pre>


blocks|key|685525|text|同样值得考虑的是：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|685526|使用cookie前缀|685527|__Secure-,+which+signals+to+the+browser+that+the+Secure+attribute+is+required.
__Host-,+which+signals+to+the+browser+that+both+the+Path=/+and+Secure+attributes+are+required,+and+at+the+same+time,+that+the+Domain+attribute+must+not+be+present.|code-block|syntax|javascript|685528|这是一篇很好的文章，解释了为什么这会有帮助|685529|https://check-your-website.server-daten.de/prefix-cookies.html|offset|length|685530|685531|重命名cookies|685532|而不是使用清楚地标识编程语言的名称。|685533|e.g|685534|ASP.NET_SessionId+=+__Secure-SID|style|CODE|685535|685536|使用相同站点设置|685537|sameSite="Lax"|685538|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite|685539|685540|确保cookie+https安全|685541|requireSSL="true"|685542|685543|安全示例|685544|<sessionState+cookieless="false"+cookieName="__Secure-SID"+cookieSameSite="Lax"+/>
<httpCookies+httpOnlyCookies="true"+sameSite="Lax"+requireSSL="true"+/>|685545|entityMap|0|LINK|mutability|MUTABLE|url|1^0|0|0|0|0|0|1Q|0|0|0|0|0|0|0|W|0|0|0|0|E|0|0|25|1|0|0|0|0|H|0|0|0|0^^$0|@$1|2|3|4|5|6|7|1O|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|1P|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|1Q|8|@]|9|@]|A|$G|H]]|$1|I|3|J|5|6|7|1R|8|@]|9|@]|A|$]]|$1|K|3|L|5|6|7|1S|8|@]|9|@$M|1T|N|1U|1|1V]]|A|$]]|$1|O|3|-4|5|6|7|1W|8|@]|9|@]|A|$]]|$1|P|3|Q|5|6|7|1X|8|@]|9|@]|A|$]]|$1|R|3|S|5|6|7|1Y|8|@]|9|@]|A|$]]|$1|T|3|U|5|6|7|1Z|8|@]|9|@]|A|$]]|$1|V|3|W|5|6|7|20|8|@$M|21|N|22|X|Y]]|9|@]|A|$]]|$1|Z|3|-4|5|6|7|23|8|@]|9|@]|A|$]]|$1|10|3|11|5|6|7|24|8|@]|9|@]|A|$]]|$1|12|3|13|5|6|7|25|8|@$M|26|N|27|X|Y]]|9|@]|A|$]]|$1|14|3|15|5|6|7|28|8|@]|9|@$M|29|N|2A|1|2B]]|A|$]]|$1|16|3|-4|5|6|7|2C|8|@]|9|@]|A|$]]|$1|17|3|18|5|6|7|2D|8|@]|9|@]|A|$]]|$1|19|3|1A|5|6|7|2E|8|@$M|2F|N|2G|X|Y]]|9|@]|A|$]]|$1|1B|3|-4|5|6|7|2H|8|@]|9|@]|A|$]]|$1|1C|3|1D|5|6|7|2I|8|@]|9|@]|A|$]]|$1|1E|3|1F|5|F|7|2J|8|@]|9|@]|A|$G|H]]|$1|1G|3|-4|5|6|7|2K|8|@]|9|@]|A|$]]]|1H|$1I|$5|1J|1K|1L|A|$1M|L]]|1N|$5|1J|1K|1L|A|$1M|15]]]]

<p>It is also worth considering:</p>
<h2>Using cookie prefixes</h2>
<pre><code>__Secure-, which signals to the browser that the Secure attribute is required.
__Host-, which signals to the browser that both the Path=/ and Secure attributes are required, and at the same time, that the Domain attribute must not be present.
</code></pre>
<p>A good article on why this helps</p>
<p><a href="https://check-your-website.server-daten.de/prefix-cookies.html" rel="nofollow noreferrer">https://check-your-website.server-daten.de/prefix-cookies.html</a></p>
<hr />
<h2>Renaming your cookies</h2>
<p>Instead of using names that clearly identify programming language.</p>
<p>e.g</p>
<p><code>ASP.NET_SessionId = __Secure-SID</code></p>
<hr />
<h2>Using samesite settings</h2>
<p><code>sameSite=&quot;Lax&quot;</code></p>
<p><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite" rel="nofollow noreferrer">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite</a></p>
<hr />
<h2>Make cookie https secure</h2>
<p><code>requireSSL=&quot;true&quot;</code></p>
<hr />
<h2>SECURE EXAMPLE</h2>
<pre><code>&lt;sessionState cookieless=&quot;false&quot; cookieName=&quot;__Secure-SID&quot; cookieSameSite=&quot;Lax&quot; /&gt;
&lt;httpCookies httpOnlyCookies=&quot;true&quot; sameSite=&quot;Lax&quot; requireSSL=&quot;true&quot; /&gt;
</code></pre>


<p>I have set the .ASPXAUTH cookie to be https only but I am not sure how to effectively do the same with the ASP.NET_SessionId.</p>

<p>The entire site uses HTTPS so there is no need for the cookie to work with both http and https.</p>


How to secure the ASP.NET_SessionId cookie?

身份验证

我已经将https cookie设置为仅https，但我不确定如何有效地对ASP.NET_SessionId执行相同的操作。整个站点都使用https，因此cookie不需要同时使用http和HTTPS。

问如何保护ASP.NET_SessionId cookie？
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问如何保护ASP.NET_SessionId cookie？EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问如何保护ASP.NET_SessionId cookie？
EN