Secure Flag for ASPXAUTH Cookie

后端未结

关注

 4  597

天涯浪人 2021-02-07 21:37

We have an externally facing application which was penetration-tested by an external security company. Application has been developed on ASP.NET MVC4 and running on IIS8/Windows

4条回答

旧巷少年郎 (楼主)

2021-02-07 22:16
An alteration to AnarchistGeek's answer: you don't want to iterate over Request.Cookies directly because adding a cookie by using the response collection makes the cookie immediately available in the request collection (see the note in the HttpRequest.Cookies docs here). That will leave you with a "Collection was modified after the enumerator was instantiated" error when you go to set/alter the response .ASPXAUTH cookie, because it is also modifying the request collection.
```
protected void Application_EndRequest(Object sender, EventArgs e)
{
    string authCookie = FormsAuthentication.FormsCookieName;
    string[] cookieNames = Request.Cookies.AllKeys;

    foreach (string sCookie in cookieNames)
    {
        if (sCookie.Equals(authCookie))
        {
            var httpCookie = Response.Cookies[sCookie];
            if (httpCookie != null) httpCookie.Secure = true;
        }
    }
}
```
Note that this particular solution will clear the existing value of the .ASPXAUTH cookie (see this post)
0 讨论(0)

查看其它4个回答
发布评论:

提交评论
- 加载中...