输入验证和表示 - Header 操作:Cookies- C# Cookies - Header

Input Validation and Representation - Header Manipulation: Cookies- C# Cookies - Header

Fortify 已报告以下问题 输入验证和表示 - Header 操作:Cookies

HttpApplication application = (HttpApplication)source;
            if (application.Context.Handler is IRequiresSessionState)
            {
                string abcCookieIdentity = "abc";
                HttpCookie abcCookie = application.Request.Cookies[abcCookieIdentity];                
                if (abcCookie == null)
                {
                    string mockIdentity = ConfigurationUtility.GetValue("AbcMockIdentity");
                    if (!string.IsNullOrWhiteSpace(mockIdentity))
                    {
                        abcCookie = new HttpCookie(abcCookieIdentity);
                        abcCookie.Secure = true;
                        abcCookie.HttpOnly = true;
                        abcCookie.Value = application.Session.SessionID + "#" + mockIdentity;
                        application.Response.Cookies.Add(abcCookie);
                    }
                }

            if (abcCookie != null)
            {
                if (application.Session != null)
                {
                    string internalSessionId = application.Session.SessionID;
                    abcCookie.Secure = true;
                    string[] cookieValues = abcCookie.Value.Split('#');

                    if (cookieValues[0].Equals(internalSessionId))
                    {
                        IIdentity identity = identity = new GenericI(cookieValues[1]);
                        IPrincipal principal = new GenericP(identity, new string[] { "Gent" });
                        Thread.CurrentPrincipal = principal;
                        application.Context.User = principal;

                        application.Request.Headers.Add("USER", cookieValues[1]);
                        
                        application.Response.Cookies.Add(abcCookie);

                        return;
                    }
                }
            }                
        }

我尝试通过添加更多详细信息(如 cookie 过期等)来解决问题。但仍然没有任何效果。 任何帮助将不胜感激.. 谢谢!

我必须在我的代码中使用 Request.Form["values"].. 这解决了问题。