受这篇 CodingHorror 文章“保护您的 Cookie:HttpOnly ”的启发
你如何设置这个属性?在网络配置的某个地方?
如果您使用的是 ASP.NET 2.0 或更高版本,则可以在 Web.config 文件中将其打开。在 <system.web> 部分中,添加以下行:
<httpCookies httpOnlyCookies="true"/>
借助 Rick 的道具(提到的博客文章中的第二条评论),这是关于 httpOnlyCookies的MSDN 文章。
底线是您只需在 web.config 的 system.web 部分中添加以下部分:
<httpCookies domain="" httpOnlyCookies="true|false" requireSSL="true|false" />
如果您想在代码中执行此操作,请使用System.Web.HttpCookie.HttpOnly属性。
这直接来自 MSDN 文档:
// Create a new HttpCookie.
HttpCookie myHttpCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());
// By default, the HttpOnly property is set to false
// unless specified otherwise in configuration.
myHttpCookie.Name = "MyHttpCookie";
Response.AppendCookie(myHttpCookie);
// Show the name of the cookie.
Response.Write(myHttpCookie.Name);
// Create an HttpOnly cookie.
HttpCookie myHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());
// Setting the HttpOnly value to true, makes
// this cookie accessible only to ASP.NET.
myHttpOnlyCookie.HttpOnly = true;
myHttpOnlyCookie.Name = "MyHttpOnlyCookie";
Response.AppendCookie(myHttpOnlyCookie);
// Show the name of the HttpOnly cookie.
Response.Write(myHttpOnlyCookie.Name);
Doing it in code allows you to selectively choose which cookies are HttpOnly and which are not.
Interestingly putting <httpCookies httpOnlyCookies="false"/>
doesn't seem to disable httpOnlyCookies
in ASP.NET 2.0. Check this article about SessionID and Login Problems With ASP .NET 2.0.
Looks like Microsoft took the decision to not allow you to disable it from the web.config. Check this post on forums.asp.net