zoukankan      html  css  js  c++  java

  • 当WFP遇到HttpOnly

    今天用wpf写一个简单的程序,用到Frame来切换网页和本地页面,这个时候希望网页切换到本地页面后再切换网页时必须要重登录,然而服务器发送的Cookies却是HttpOnly的。

    HttpOnly的cookies作用是为了提高站点安全性防止跨站攻击,所以客户端对他的访问有很大的限制。更多信息请参考Mitigating Cross-site Scripting With HTTP-only Cookies

    搜索了不少资料,也尝试了用mshtml.HTMLDocument2接口获取Frame中的WebBrowser对象的Document属性里面的cookie,然后发现是null。搜索到的资料里面提到

    However it is not good enough as looks like MSHTML.Document2 – does not allow to extract important HttpOnly cookies (like ASP.Net_SessionID) – and I need manually construct CookiesCollection object from Cookies string.

    这样不得不放弃直接修改Cookies的方法。最后找到一篇文章提到

    To clear session (such as HttpOnly cookies), you can use InternetSetOption() from wininet.dll.

    private const int INTERNET_OPTION_END_BROWSER_SESSION = 42;
 
[DllImport("wininet.dll", SetLastError = true)]
private static extern bool InternetSetOption(IntPtr hInternet, int dwOption, IntPtr lpBuffer, int lpdwBufferLength);

    and use this method whenever need to clear session.

    InternetSetOption(IntPtr.Zero, INTERNET_OPTION_END_BROWSER_SESSION, IntPtr.Zero, 0);
webBrowser1.Document.Window.Navigate(url);

    还好我只是需要清除Cookies结束当前的session就可以了,上面这个API刚好能完成我要的功能。
     

    后来还看到一篇文章Retrieve HttpOnly Session Cookie in WebBrowser – CodeProject,上面提到

    Now, we can inject into every request, including AJAX requests. How to get/set the HTTP-Only cookies when a request is being sent? There is a new added flag INTERNET_COOKIE_HTTPONLY in IE8 SDK for InternetGetCookieEx / InternetSetCookieEx.

    如果系统浏览器是IE8以上的版本可以使用这两个API来获取和设置HttpOnly的Cookies。
  • 相关阅读:
    luogu P2661 信息传递 强连通分量求最小环
    luogu P1346 电车 最短路
    luogu P1113 杂务
    luogu P1111 修复公路 最小生成树prim
    python提交要注意的几个地方
    【图论】拓扑排序
    算法竞赛入门经典 第六章
    实用函数
    Markdown数学公式语法
    Codeforces Round #627 (Div. 3) 补题
  • 原文地址:https://www.cnblogs.com/yeye518/p/2811296.html
Copyright © 2011-2022 走看看