我使用 VeraCode 来验证我的代码,在验证中,我发现了一个漏洞类型 CRLF Injection,因为我使用了一些 cookie。我试图用文件中的标签或后面的 C# 代码来解决httpOnlyCookies=true
,web.config
但CookieName.HttpOnly = true
它没有通过 VeraCode 中的验证。你有什么主意吗?
这是我的代码,我在超类 UserInfo.cs 中声明了 cookie:
private HttpCookie httpCookie = null;
public UserInfo()
{
if (this.httpCookie == null)
{
this.httpCookie = this.Context.Request.Cookies["ExampleCookie"];
}
if (this.httpCookie == null)
{
this.httpCookie = new HttpCookie("ExampleCookie");
this.httpCookie.HttpOnly = true; //I tried with this too
this.Context.Response.Cookies.Set(this.httpCookie);
}
}
static public UserInfo GetCurrent
{
get
{
return new UserInfo();
}
}
public string UserName
{
set
{
this.httpCookie.Values["UserName"] = value.ToString();
this.Context.Response.SetCookie(this.httpCookie);
}
get
{
return this.httpCookie["UserName"] == null ? string.Empty : this.httpCookie["UserName"].ToString();
}
}
网络配置:
<system.web>
<httpCookies httpOnlyCookies="true" />