我在web.config中有以下规则,旨在使用safe和httpOnly标志识别和重写出站会话cookie:
<rewrite>
<outboundRules>
<preConditions>
<preCondition name="MatchSessionCookies">
<add input="{RESPONSE_SET_COOKIE}" pattern="." />
</preCondition>
</preConditions>
<rule preCondition="MatchSessionCookies" name="SecureSessionCookies" enabled="true">
<match serverVariable="RESPONSE_SET_COOKIE" pattern="^(.*sess.*)=(.+)$" />
<action type="Rewrite" value="{R:1}={R:2}; httpOnly; secure" />
</rule>
</outboundRules>
</rewrite>
这按预期工作,直到httpErrors发挥作用:
<httpErrors>
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" prefixLanguageFilePath="" path="/path/to/404.aspx" responseMode="ExecuteURL" />
</httpErrors>
因此,当访问/a-page-that-exists.aspx
时,写出的出站 ASPSESSIONID cookie 会使用安全和httpOnly 标志成功重写。
Request URL: /a-page-that-exists.aspx
Status Code: 200 OK
Set-Cookie: ASPSESSIONIDABCDEFG=...; path=/; httpOnly; secure
问题是访问/a-page-that-does-NOT-exist.aspx
。似乎 [404] 请求在内部"路由"到ExecuteURL
路径,并且完全绕过了我现有的 URL 重写规则。
Request URL: /a-page-that-does-NOT-exist.aspx
Status Code: 200 OK
Set-Cookie: ASPSESSIONIDABCDEFG=...; path=/
关于如何修改我的出站重写规则,以便在将它们移交给我的 404 处理程序之前可以应用于 [404] 请求的任何想法?
好吧,看起来我们必须使用IIS <httpErrors />
处理程序的URL重写版本,但它有效:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<!-- Remove existing 404 handler -->
<httpErrors>
<remove statusCode="404" subStatusCode="-1" />
</httpErrors>
<rewrite>
<outboundRules>
<preConditions>
<preCondition name="MatchSessionCookies">
<add input="{RESPONSE_SET_COOKIE}" pattern="." />
</preCondition>
</preConditions>
<!-- Does NOT work with ExecuteURL 404 handler -->
<rule preCondition="MatchSessionCookies" name="SecureSessionCookies" enabled="true">
<match serverVariable="RESPONSE_SET_COOKIE" pattern="^(gsm|.*sess.*)=(.+)$" />
<action type="Rewrite" value="{R:1}={R:2}; httpOnly; secure" />
</rule>
</outboundRules>
<rules>
<!-- Re-implement ExecuteURL 404 handler as URL Rewrite -->
<rule name="Handle404" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAny">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
</conditions>
<action type="Rewrite" url="/path/to/404.aspx?404;{PreserveSchema:{HTTPS}}{HTTP_HOST}{UNENCODED_URL}" />
</rule>
</rules>
<rewriteMaps>
<!-- http://stackoverflow.com/a/10227936/901156 -->
<rewriteMap name="PreserveSchema" defaultValue="OFF">
<add key="ON" value="https://" />
<add key="OFF" value="http://" />
</rewriteMap>
</rewriteMaps>
</rewrite>
</system.webServer>
</configuration>
而回应:
Request URL: /a-page-that-does-NOT-exist.aspx
Status Code: 200 OK
Set-Cookie: ASPSESSIONIDABCDEFG=...; path=/; httpOnly; secure