(FWIW,我也在我的博客上发布了这个问题: http: //blog.wolffmyren.com/2011/07/11/ie-protected-mode-ssl/)
有谁知道如何在不要求最终用户将我们的站点添加到受信任站点列表的情况下解决 Internet Explorer 保护模式限制?
问题是如果我们为我们的站点启用 SSL 登录,他们只能访问 SSL 页面。IE 阻止我们的非 SSL 服务页面访问在 SSL 会话期间创建的 cookie,因此我们可以通过 SSL 服务所有内容(非常昂贵/资源密集型),或者找到一些方法来设置 SSL和非 SSL cookie在登录过程中。
这篇 MSDN 文章(What does ielowutil.exe have to do with Internet Explorer 8.0?)有我找到的最相关的信息,但它讨论了使用 Windows API,我正在寻找可以用 ASP 实现的解决方案。 NET、JavaScript 或其他一些交付良好的解决方案。
更新:我的一个朋友分享了这些链接,希望他们会有所帮助:
It looks like IIS is giving you secure cookies over your HTTPS connection, which is very sensible indeed. These cookies are designed not to be leaked to a plain HTTP connection, hence the result you get.
You could create a secondary, non-secure cookie to pass some authentication information to the HTTP side of your site. However, once you've done this, don't assume that whatever was done or sent during the plain HTTP session was done by the legitimate authenticated user, if at some point you need to go back to HTTPS. It can be OK to pass an authentication token from HTTPS to HTTP, but not the other way. (You'd still be vulnerable to attacks in plain HTTP of course, but this may be an acceptable risk in your application.)
There's more about this problem in this question (what applies to Tomcat would be the same with any web server, including IIS): Tomcat session management - url rewrite and switching from http to https
正如布鲁诺所暗示的那样,您应该检查是否在您的 cookie 上设置了 SECURE 属性(使用 F12 开发人员工具或 Fiddler)。如果是,您将在所有浏览器上看到此行为。
如果不是,那么问题很可能是您在受信任区域中,而http://whatever.com也不在受信任区域中。如果那是您的配置,那么是的,保护模式是问题的根本原因,我在这里更完整地解释了这一点: