使用这样的代码安全吗?
Response.Cookies[cookieName].Path = Request.ApplicationPath + "/";
我想知道所有极端情况,请...
问问题
3187 次
3 回答
6
In short, no, it's not safe. Using cookie paths is fraught with problems as they are case sensitive in IE and Chrome, but not FF. This means any mismatch in path case will stuff things up.
When generating a cookie, if the path you set differs in case from what the user typed, browsers won't store it.
When the user returns, if the path they enter differs in case from the first trip, the browser won't supply the cookie with the request.
What problem are you trying to solve?
于 2010-03-25T11:26:03.140 回答
3
如果您的应用程序在域的根目录中运行,Request.ApplicationPath == "/". 因此,使用您的代码,您的 cookie 的路径将是//. 你可以通过这样做来避开这个问题:
cookie.Path = Request.ApplicationPath;
if (cookie.Path.Length > 1) cookie.Path += '/';
正如Will 正确指出的那样,您需要确保您的应用程序强制使用一致的 URL 大小写(即将所有 URL 包含大写字母的请求重定向到其等效的小写字母)。
除此之外,我相信你应该没问题。如果您希望所有 cookie 都是“应用程序范围的”,请考虑IHttpModule使用如下代码(或扩展global.asax.cs)创建自定义:
private void Application_EndRequest(object sender, EventArgs e)
{
var app = (HttpApplication)sender;
var cookiePath = app.Request.ApplicationPath;
if (cookiePath.Length > 1) cookiePath += '/';
foreach (string name in app.Response.Cookies.AllKeys)
{
var cookie = app.Response.Cookies[name];
cookie.Path = cookiePath;
}
}
于 2010-03-25T11:24:36.920 回答
1
No, it's not safe, for the reasons that Will specified.
But... You may want to employ this technique to fulfill your intent.
于 2010-07-16T01:49:38.533 回答