Iis 7 如何使用IIS URL重写模块重写cookie
由于漏洞工具的发现,我需要重写网站中的所有cookie,使其具有HttpOnly、Secure和SameSite=lax 饼干样本:Iis 7 如何使用IIS URL重写模块重写cookie,iis-7,windows-server-2008-r2,url-rewrite-module,Iis 7,Windows Server 2008 R2,Url Rewrite Module,由于漏洞工具的发现,我需要重写网站中的所有cookie,使其具有HttpOnly、Secure和SameSite=lax 饼干样本: cookie1 = oiu3ou2o3u2o42uo2; cookie2 = 0830413o4o1uo4uo1u;HttpOnly; cookie3 = 040382048308108814081;HttpOnly;Secure; cookie4 = 80jafjlajdflajfldjaljf;HttpOnly;Secure;SameSite=lax;
cookie1 = oiu3ou2o3u2o42uo2;
cookie2 = 0830413o4o1uo4uo1u;HttpOnly;
cookie3 = 040382048308108814081;HttpOnly;Secure;
cookie4 = 80jafjlajdflajfldjaljf;HttpOnly;Secure;SameSite=lax;
响应标题中的预期结果
这是我的重写出站规则
<rewrite>
<outboundRules>
<rule name="Add HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
<conditions>
<add input="{R:0}" pattern="; httpOnly" negate="true" />
</conditions>
<action type="Rewrite" value="{R:0}; HttpOnly" />
</rule>
<rule name="Add Secure">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
<conditions>
<add input="{R:0}" pattern="; Secure" negate="true" />
</conditions>
<action type="Rewrite" value="{R:0}; Secure" />
</rule>
<rule name="add Samesite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
<conditions>
<add input="{R:0}" pattern="; sameSite" negate="true" />
</conditions>
<action type="Rewrite" value="{R:0}; SameSite=lax" />
</rule>
</outboundRules>
</rewrite>
我正在windows server 2008 R2/IIS7中执行此操作,该规则在我的多个本地实例上运行良好。因此,看起来就像是在重写出站规则之后生成了带有cookie的Set cookie头 您能解释一下您是如何生成set cookie头的吗?您是否通过代理返回cookie? 建议启用失败的请求跟踪,它应该告诉我们发生了什么
cookie来自负载平衡器。是否可以修改这些cookie属性?
<rewrite>
<outboundRules>
<rule name="Add HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
<conditions>
<add input="{R:0}" pattern="; httpOnly" negate="true" />
</conditions>
<action type="Rewrite" value="{R:0}; HttpOnly" />
</rule>
<rule name="Add Secure">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
<conditions>
<add input="{R:0}" pattern="; Secure" negate="true" />
</conditions>
<action type="Rewrite" value="{R:0}; Secure" />
</rule>
<rule name="add Samesite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
<conditions>
<add input="{R:0}" pattern="; sameSite" negate="true" />
</conditions>
<action type="Rewrite" value="{R:0}; SameSite=lax" />
</rule>
</outboundRules>
</rewrite>
Set-Cookie: ; HttpOnly; Secure; SameSite=lax
Set-Cookie: cookie1=oiu3ou2o3u2o42uo2;