Fatal编程技术网
  • iis-7/
  • Iis 7 如何使用IIS URL重写模块重写cookie

Iis 7 如何使用IIS URL重写模块重写cookie

iis-7

Iis 7 如何使用IIS URL重写模块重写cookie,iis-7,windows-server-2008-r2,url-rewrite-module,Iis 7,Windows Server 2008 R2,Url Rewrite Module,由于漏洞工具的发现,我需要重写网站中的所有cookie,使其具有HttpOnly、Secure和SameSite=lax 饼干样本: cookie1 = oiu3ou2o3u2o42uo2; cookie2 = 0830413o4o1uo4uo1u;HttpOnly; cookie3 = 040382048308108814081;HttpOnly;Secure; cookie4 = 80jafjlajdflajfldjaljf;HttpOnly;Secure;SameSite=lax;

由于漏洞工具的发现,我需要重写网站中的所有cookie,使其具有HttpOnly、Secure和SameSite=lax

饼干样本:

 cookie1 = oiu3ou2o3u2o42uo2;
 cookie2 = 0830413o4o1uo4uo1u;HttpOnly;
 cookie3 = 040382048308108814081;HttpOnly;Secure;
 cookie4 = 80jafjlajdflajfldjaljf;HttpOnly;Secure;SameSite=lax;
响应标题中的预期结果

这是我的重写出站规则

<rewrite>
        <outboundRules>
           <rule name="Add HttpOnly">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
                <conditions>
                    <add input="{R:0}" pattern="; httpOnly" negate="true" />
                </conditions>
                <action type="Rewrite" value="{R:0}; HttpOnly" />
            </rule>
            <rule name="Add Secure">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
                <conditions>
                    <add input="{R:0}" pattern="; Secure" negate="true" />
                </conditions>
                <action type="Rewrite" value="{R:0}; Secure" />
            </rule>
            <rule name="add Samesite">
              <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
                <conditions>
                    <add input="{R:0}" pattern="; sameSite" negate="true" />
                </conditions>
              <action type="Rewrite" value="{R:0}; SameSite=lax" />
            </rule> 
        </outboundRules>
    </rewrite>
我正在windows server 2008 R2/IIS7中执行此操作,

该规则在我的多个本地实例上运行良好。因此,看起来就像是在重写出站规则之后生成了带有cookie的Set cookie头

您能解释一下您是如何生成set cookie头的吗?您是否通过代理返回cookie? 建议启用失败的请求跟踪,它应该告诉我们发生了什么

cookie来自负载平衡器。是否可以修改这些cookie属性? 
<rewrite>
        <outboundRules>
           <rule name="Add HttpOnly">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
                <conditions>
                    <add input="{R:0}" pattern="; httpOnly" negate="true" />
                </conditions>
                <action type="Rewrite" value="{R:0}; HttpOnly" />
            </rule>
            <rule name="Add Secure">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
                <conditions>
                    <add input="{R:0}" pattern="; Secure" negate="true" />
                </conditions>
                <action type="Rewrite" value="{R:0}; Secure" />
            </rule>
            <rule name="add Samesite">
              <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
                <conditions>
                    <add input="{R:0}" pattern="; sameSite" negate="true" />
                </conditions>
              <action type="Rewrite" value="{R:0}; SameSite=lax" />
            </rule> 
        </outboundRules>
    </rewrite>

 Set-Cookie: ; HttpOnly; Secure; SameSite=lax
 Set-Cookie: cookie1=oiu3ou2o3u2o42uo2;