网站的Cookie管理除了限定Domain增强安全性之外,.net 2.0新增一个Cookie属性HttpOnly。很棒!
在做一个cookie功能时用到了Cookie的一个属性HttpOnly
Code
<!-- {cps..10}-->
HttpCookiea
=
new
HttpCookie(
"
TestName
"
,
"
TestValue
"
);
a.Domain
=
"
.test.com
"
;
a.HttpOnly
=
true
;
Response.Cookies.Add(a);
原以为这样后,客户端应该无法访问该Cookie了!
结果,如图
感觉比较诡异,于是再查MSDN
得知原来有两个cookie类。System.Web.HttpCookie 类 和 System.Net.Cookie 类
注意命名空间不同。
两个类的说明分别如下:
Cookie 类提供一组用于管理 Cookie 的属性和方法。无法继承此类。命名空间:
System.Net
HttpCookie 类
提供创建和操作各 HTTP Cookie 的类型安全方法。
命名空间:
System.Web
两个类都有HttpOnly属性,分别说明如下:
Cookie.HttpOnly 属性注意:此属性在 .NET Framework 2.0 版中是新增的。确定页脚本或其他活动内容是否可访问此 Cookie。
HttpCookie.HttpOnly 属性注意:此属性在 .NET Framework 2.0 版中是新增的。
获取或设置一个值,该值指定 Cookie 是否可通过客户端脚本访问。
问题来了,关键的理解点在于通过什么东东来访问。
不太理解微软机器翻译的“页脚本或其他活动内容
”究竟指什么玩意?
于是做测试,建立一个Web Application,
在TestCookie.aspx页面,的Page_Load事件中加入
Code
<!-- {cps..16}-->//
Response.Cookies.Clear();
//
System.Web.HttpCookie;
HttpCookiea
=
new
HttpCookie(
"
TestName
"
,
"
TestValue
"
);
//
a.Domain=Request.ServerVariables["HTTP_HOST"];
a.HttpOnly
=
false
;
Response.Cookies.Add(a);
HttpCookieb
=
new
HttpCookie(
"
TestB
"
,
"
TestB
"
);
b.HttpOnly
=
true
;
//
b.Domain=Request.ServerVariables["HTTP_HOST"];
Response.Cookies.Add(b);
Response.Write(
"
System.Web.HttpCookie;------------<br/>
"
);
for
(
int
i
=
0
;i
<
Request.Cookies.Count;i
++
)
{
HttpCookiecook
=
Request.Cookies[i];
Response.Write(
"
<Br/>
"
);
Response.Write(
"
Cookie:
"
);
Response.Write(
string
.Format(
"
{0}={1}
"
,cook.Name,cook.Value)
+
"
<Br/>
"
);
//
Response.Write(string.Format("Domain:{0}",cook.Domain)+"<Br/>");
Response.Write(
string
.Format(
"
Path:{0}
"
,cook.Path)
+
"
<Br/>
"
);
Response.Write(
string
.Format(
"
Secure:{0}
"
,cook.Secure)
+
"
<Br/>
"
);
Response.Write(
string
.Format(
"
HttpOnly:{0}
"
,cook.HttpOnly)
+
"
<Br/>
"
);
}
//
//
System.Net.CookieContainerCookieContainerObject=newSystem.Net.CookieContainer();
System.Net.CookieCollectionCookieCollectionObject
=
new
System.Net.CookieCollection();
System.Net.Cookiea2
=
new
System.Net.Cookie(
"
TestName2
"
,
"
TestValue2
"
);
a2.HttpOnly
=
false
;
a2.Domain
=
Request.ServerVariables[
"
HTTP_HOST
"
];
//
CookieContainerObject.Add(a2);
CookieCollectionObject.Add(a2);
System.Net.Cookieb2
=
new
System.Net.Cookie(
"
TestB2
"
,
"
TestB2
"
);
b2.HttpOnly
=
true
;
b2.Domain
=
Request.ServerVariables[
"
HTTP_HOST
"
];
//
CookieContainerObject.Add(b2);
CookieCollectionObject.Add(b2);
Response.Write(
"
<Br/>
"
);
Response.Write(
"
System.Net.Cookie;*********************<br/>
"
);
foreach
(System.Net.Cookieck
in
CookieCollectionObject)
{
Response.Write(
"
<Br/>
"
);
Response.Write(
"
Cookie:
"
);
Response.Write(
string
.Format(
"
{0}={1}
"
,ck.Name,ck.Value)
+
"
<Br/>
"
);
//
Response.Write(string.Format("Domain:{0}",ck.Domain)+"<Br/>");
Response.Write(
string
.Format(
"
Path:{0}
"
,ck.Path)
+
"
<Br/>
"
);
Response.Write(
string
.Format(
"
Secure:{0}
"
,ck.Secure)
+
"
<Br/>
"
);
Response.Write(
string
.Format(
"
HttpOnly:{0}
"
,ck.HttpOnly)
+
"
<Br/>
"
);
}
该段代码的功能主要是测试能否正确读写Cookie
结果如下:
Code
<!-- {cps..12}-->System.Web.HttpCookie;------------
Cookie:TestName=TestValue
Domain:10.103.33.102:2888
Path:/
Secure:False
HttpOnly:False
Cookie:TestB=TestB
Domain:10.103.33.102:2888
Path:/
Secure:False
HttpOnly:True
System.Net.Cookie;*********************
Cookie:TestName2=TestValue2
Domain:10.103.33.102:2888
Path:
Secure:False
HttpOnly:False
Cookie:TestB2=TestB2
Domain:10.103.33.102:2888
Path:
Secure:False
HttpOnly:True
再建一ConSole Application,
看看能否获取并修改该页面的Cookie
代码如下:
Code
<!-- {cps..13}-->string
surl
=
"
http://10.103.33.102:2888/TestCookie.aspx
"
;
HttpWebRequestWebRequestObject
=
(HttpWebRequest)WebRequest.Create(surl);
WebRequestObject.CookieContainer
=
new
CookieContainer();
HttpWebResponseWebResponseObject
=
(HttpWebResponse)WebRequestObject.GetResponse();
System.Net.CookieCollectionCookieCollectionObject
=
new
System.Net.CookieCollection();
//
Printthepropertiesofeachcookie.
foreach
(Cookiecook
in
WebResponseObject.Cookies)
{
Console.WriteLine(
"
-----------------------System.Web.HttpCookie--------------------------
"
);
Console.WriteLine(
"
Cookie:
"
);
Console.WriteLine(
"
{0}={1}
"
,cook.Name,cook.Value);
Console.WriteLine(
"
Domain:{0}
"
,cook.Domain);
Console.WriteLine(
"
Path:{0}
"
,cook.Path);
Console.WriteLine(
"
Port:{0}
"
,cook.Port);
Console.WriteLine(
"
Secure:{0}
"
,cook.Secure);
Console.WriteLine(
"
HttpOnly:{0}
"
,cook.HttpOnly);
/**/
//////
Showthestringrepresentationofthecookie.
///
/Console.WriteLine("String:{0}",cook.ToString());
System.Net.Cookiec
=
new
System.Net.Cookie();
c.Name
=
cook.Name;
c.Path
=
cook.Path;
c.HttpOnly
=
cook.HttpOnly;
c.Domain
=
cook.Domain;
c.Expires
=
cook.Expires;
c.Value
=
cook.Value;
CookieCollectionObject.Add(cook);
}
foreach
(System.Net.Cookieck
in
CookieCollectionObject)
{
Console.WriteLine(
"
----------------------System.Net.Cookie-------------------------------------
"
);
Console.WriteLine(
"
Cookie:
"
);
Console.WriteLine(
"
{0}={1}
"
,ck.Name,ck.Value);
Console.WriteLine(
"
Domain:{0}
"
,ck.Domain);
Console.WriteLine(
"
Path:{0}
"
,ck.Path);
Console.WriteLine(
"
Port:{0}
"
,ck.Port);
Console.WriteLine(
"
Secure:{0}
"
,ck.Secure);
Console.WriteLine(
"
HttpOnly:{0}
"
,ck.HttpOnly);
System.Web.HttpCookiec
=
new
System.Web.HttpCookie(ck.Name);
c.Name
=
ck.Name;
c.Path
=
ck.Path;
c.HttpOnly
=
ck.HttpOnly;
c.Domain
=
ck.Domain;
c.Expires
=
DateTime.Now.AddDays(
1
);
c.Value
=
ck.Value
+
"
--Update
"
;
WebResponseObject.Cookies.Add(ck);
}
foreach
(Cookiecook
in
WebResponseObject.Cookies)
{
Console.WriteLine(
"
-----------------UpdateedSystem.Web.HttpCookie--------------------------
"
);
Console.WriteLine(
"
Cookie:
"
);
Console.WriteLine(
"
{0}={1}
"
,cook.Name,cook.Value);
Console.WriteLine(
"
Domain:{0}
"
,cook.Domain);
Console.WriteLine(
"
Path:{0}
"
,cook.Path);
Console.WriteLine(
"
Port:{0}
"
,cook.Port);
Console.WriteLine(
"
Secure:{0}
"
,cook.Secure);
Console.WriteLine(
"
HttpOnly:{0}
"
,cook.HttpOnly);
}
运行结果
Code
<!-- {cps..14}-->-----------------------System.Web.HttpCookie--------------------------
Cookie:
TestName=TestValue
Domain:10.103.33.102
Path:/
Port:
Secure:False
HttpOnly:False
-----------------------System.Web.HttpCookie--------------------------
Cookie:
TestB=TestB
Domain:10.103.33.102
Path:/
Port:
Secure:False
HttpOnly:True
----------------------System.Net.Cookie-------------------------------------
Cookie:
TestName=TestValue
Domain:10.103.33.102
Path:/
Port:
Secure:False
HttpOnly:False
----------------------System.Net.Cookie-------------------------------------
Cookie:
TestB=TestB
Domain:10.103.33.102
Path:/
Port:
Secure:False
HttpOnly:True
-----------------UpdateedSystem.Web.HttpCookie--------------------------
Cookie:
TestName=TestValue
Domain:10.103.33.102
Path:/
Port:
Secure:False
HttpOnly:False
-----------------UpdateedSystem.Web.HttpCookie--------------------------
Cookie:
TestB=TestB
Domain:10.103.33.102
Path:/
Port:
Secure:False
HttpOnly:True
请注意, c.Value = ck.Value+"--Update";这句在修改Cookie.value后并没有成功写入该页面的Cookie集合中,换言之,一个未知的客户端应用程序并没有通过读取一个页面的Cookie并修改再写入该页面的Cookie集合。
我的理解是:
1、System.Web.httpCookie主要是服务器端应用。
System.Net.Cookie主要是客户端程序应用,后者可以读取前者的Cookie属性和值,而不能修改服务器定义的Cookie。
2、System.Web.httpCookie.HttpOnly=true后,客户端脚本无法访问该Cookie,但其他程序仍然可以访问。
System.Net.Cookie.HttpOnly=true后,困其是客户端程序,故有更多的限制,不允许”页面脚本及其他程序“访问
该Cookie, 只有创建它的应用程序可以访问。并且在特定的Domain下。
值得注意的是:HttpOnly属性仅对IE 6 SP1以上的版本才有效,在FireFox3.01下也可以!但对于IE5.x的机器,可能就****
欢迎大伙指正。
