我在web.config中设置了以下内容:
<system.web> <httpCookies httpOnlyCookies="true" requireSSL="true" /> </system.web>
当我使用HTTP连接访问网站时,它会重定向到我的登录页面(将方案指定为HTTPS).当浏览器获取此页面时,响应会设置一些cookie(ASP.NET会话cookie和我的登录表单的请求验证令牌):
Set-Cookie: __RequestVerificationToken=IHx8a2zQU374d5CtsoEVW…YtIc1; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=pfbkkxx2seqhdrxxiodxfbmh; path=/; HttpOnly
它们有HttpOnly标志,这很好 – 但它们没有here on Wikipedia所述的安全标志.
如果我然后登录,则会创建一个身份验证cookie,并且确实设置了安全标志:
Set-Cookie:MyWebSite.Authentication=RE3UD…BDW4; path=/; secure; HttpOnly
如何确保在我的所有cookie上设置安全标志?
更新:根据要求,这是我得到的cURL输出(直接获取登录页面时):
curl https://www.mywebsite.com/Account/Login --verbose --insecure
得到:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Trying 194.73.98.116...
* Connected to www.mywebsite.com (111.11.11.111) port 443 (#0)
* ALPN,offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT),TLS header,Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT),TLS handshake,Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN),Server hello (2):
{ [85 bytes data]
* TLSv1.2 (IN),Certificate (11):
{ [2618 bytes data]
* TLSv1.2 (IN),Server key exchange (12):
{ [401 bytes data]
* TLSv1.2 (IN),Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT),Client key exchange (16):
} [138 bytes data]
* TLSv1.2 (OUT),TLS change cipher,Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT),Finished (20):
} [16 bytes data]
* TLSv1.2 (IN),Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN),Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384
* ALPN,server did not agree to a protocol
* Server certificate:
* subject: OU=Domain Control Validated; CN=*.mywebsite.com
* start date: 2015-07-29 13:37:38 GMT
* expire date: 2018-07-29 13:37:38 GMT
* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com,Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
* SSL certificate verify result: unable to get local issuer certificate (20),continuing anyway.
} [5 bytes data]
> GET /Account/Login HTTP/1.1
> Host: www.mywebsite.com
> User-Agent: curl/7.43.0
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Cache-Control: no-cache,no-store,must-revalidate
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Expires: -1
< Server: Microsoft-IIS/8.5
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< X-Frame-Options: Deny
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Content-Security-Policy: default-src 'self';script-src 'self' www.google-analytics.com www.googletagmanager.com;object-src 'none';style-src 'self' fonts.googleapis.com;img-src 'self' www.google-analytics.com placehold.it placeholdit.imgix.net data:;media-src 'none';frame-src 'none';font-src 'self' fonts.gstatic.com;connect-src 'self';base-uri 'self';child-src 'none';frame-ancestors 'none';report-uri /WebResource.axd?cspReport=true
< X-Frame-Options: SAMEORIGIN
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: __RequestVerificationToken=bPWxIp8e4F4I0Jt26t5oZyvDM6059tAWSRbgc-b6Df5IMjyYFDD9fJKgRsKVjbtN3EGgtFuHcf1sTjlYSwDWgnlhSUuNW1q5yv3cGMxmEwE1; path=/; HttpOnly
< Date: Fri,04 Dec 2015 10:03:35 GMT
< Content-Length: 12596
<
{ [12596 bytes data]
100 12596 100 12596 0 0 31101 0 --:--:-- --:--:-- --:--:-- 31101
* Connection #0 to host www.mywebsite.com left intact
解决方法
建议的方法是在处理页面请求时保护会话ID和表单请求cookie,例如,
// This code will mark the forms authentication cookie and the
// session cookie as Secure.
if (Response.Cookies.Count > 0)
{
foreach (string s in Response.Cookies.AllKeys)
{
if (s == FormsAuthentication.FormsCookieName || s.ToLower() == "asp.net_sessionid")
{
Response.Cookies[s].Secure = true;
}
}
}
以及webconfig中用于保护表单身份验证令牌的附加行:
<authentication mode="Forms"> <forms ... requireSSL="true" /> </authentication>
资料来源:
Securing Request-Response cookies – Secure forms authentication via Web.config
