IIS Samesite Cookie 适用于 Lax 和 Strict,但不适用于 None
IIS Samesite Cookie working for Lax and Strict but does not work for None
如果我还遗漏了什么,有人能指出来吗?
按照 https://docs.microsoft.com/en-us/aspnet/samesite/system-web-samesite 的指示,这是 IIS web.config 我得到的 Strict:
<system.web>
<anonymousIdentification cookieRequireSSL="true" />
<authentication>
<forms cookieSameSite="Strict" requireSSL="true" />
</authentication>
<sessionState cookieSameSite="Strict" />
<httpCookies sameSite="Strict" requireSSL="true" />
<roleManager cookieRequireSSL="true" />
<compilation targetFramework="4.7">
...
</compilation>
...
<httpRuntime targetFramework="4.7"/>
</system.web>
结果(抱歉,我无法直接嵌入图像。出现错误“无法访问 Imgur”):
对于 SameSite="None",我只是将所有的“严格”更改为“None”:
<system.web>
<anonymousIdentification cookieRequireSSL="true" />
<authentication>
<forms cookieSameSite="None" requireSSL="true" />
</authentication>
<sessionState cookieSameSite="None" />
<httpCookies sameSite="None" requireSSL="true" />
<roleManager cookieRequireSSL="true" />
<compilation targetFramework="4.7">
...
</compilation>
...
<httpRuntime targetFramework="4.7"/>
</system.web>
但它没有被添加到 cookies:
提前致谢。感谢您的帮助。
另一个线程中有评论说,由于在机器上安装任何软件都很麻烦,我正在考虑作为最后的手段尝试。它不完全符合我的场景,因为即使他使用“严格”也不起作用。但是,它确实在安装 URL Rewrite 后解决了我的问题。
I tried with <httpCookies sameSite="Strict" /> in .Net 4.7.2 but it did not work for the Asp.Net Identity cookie. This rewrite rule did. – Augusto Barreto Nov 22 '18 at 22:30
@AugustoBarreto Asp.Net Identity ignore the .config settings. Solution is to implement your own Cookie Handler. Derive from System.IdentityModel.Services.CookieHandler and implement WriteInternal method. – Saftpresse99 Mar 18 '19 at 12:18
谢谢奥古斯托!
如果我还遗漏了什么,有人能指出来吗?
按照 https://docs.microsoft.com/en-us/aspnet/samesite/system-web-samesite 的指示,这是 IIS web.config 我得到的 Strict:
<system.web>
<anonymousIdentification cookieRequireSSL="true" />
<authentication>
<forms cookieSameSite="Strict" requireSSL="true" />
</authentication>
<sessionState cookieSameSite="Strict" />
<httpCookies sameSite="Strict" requireSSL="true" />
<roleManager cookieRequireSSL="true" />
<compilation targetFramework="4.7">
...
</compilation>
...
<httpRuntime targetFramework="4.7"/>
</system.web>
结果(抱歉,我无法直接嵌入图像。出现错误“无法访问 Imgur”):
对于 SameSite="None",我只是将所有的“严格”更改为“None”:
<system.web>
<anonymousIdentification cookieRequireSSL="true" />
<authentication>
<forms cookieSameSite="None" requireSSL="true" />
</authentication>
<sessionState cookieSameSite="None" />
<httpCookies sameSite="None" requireSSL="true" />
<roleManager cookieRequireSSL="true" />
<compilation targetFramework="4.7">
...
</compilation>
...
<httpRuntime targetFramework="4.7"/>
</system.web>
但它没有被添加到 cookies:
提前致谢。感谢您的帮助。
另一个线程中有评论说,由于在机器上安装任何软件都很麻烦,我正在考虑作为最后的手段尝试。它不完全符合我的场景,因为即使他使用“严格”也不起作用。但是,它确实在安装 URL Rewrite 后解决了我的问题。
I tried with
<httpCookies sameSite="Strict" />in .Net 4.7.2 but it did not work for the Asp.Net Identity cookie. This rewrite rule did. – Augusto Barreto Nov 22 '18 at 22:30
@AugustoBarreto Asp.Net Identity ignore the .config settings. Solution is to implement your own Cookie Handler. Derive from
System.IdentityModel.Services.CookieHandlerand implementWriteInternalmethod. – Saftpresse99 Mar 18 '19 at 12:18
谢谢奥古斯托!