HttpCookie.HttpOnly VS Cookie.HttpOnly?(downmoon原创)

网站的Cookie管理除了限定Domain增强安全性之外，.net　2.0新增一个Cookie属性HttpOnly。很棒！

在做一个cookie功能时用到了Cookie的一个属性HttpOnly

Code
<!-- {cps..10}-->HttpCookiea = new HttpCookie( " TestName " , " TestValue " );
a.Domain = " .test.com " ;
a.HttpOnly = true ;
Response.Cookies.Add(a);

原以为这样后，客户端应该无法访问该Cookie了！　

结果，如图

感觉比较诡异，于是再查MSDN

得知原来有两个cookie类。System.Web.HttpCookie 类 和 System.Net.Cookie 类

注意命名空间不同。

两个类的说明分别如下：

Cookie 类提供一组用于管理 Cookie 的属性和方法。无法继承此类。 命名空间: System.Net

HttpCookie 类 提供创建和操作各 HTTP Cookie 的类型安全方法。 命名空间: System.Web

两个类都有HttpOnly属性，分别说明如下：

Cookie.HttpOnly 属性注意：此属性在 .NET Framework 2.0 版中是新增的。确定页脚本或其他活动内容是否可访问此 Cookie。

HttpCookie.HttpOnly 属性注意：此属性在 .NET Framework 2.0 版中是新增的。 获取或设置一个值，该值指定 Cookie 是否可通过客户端脚本访问。

问题来了，关键的理解点在于通过什么东东来访问。

不太理解微软机器翻译的“页脚本或其他活动内容 ”究竟指什么玩意？

于是做测试，建立一个Web Application,

在TestCookie.aspx页面，的Page_Load事件中加入

Code
<!-- {cps..16}-->// Response.Cookies.Clear();
// System.Web.HttpCookie;
HttpCookiea = new HttpCookie( " TestName " , " TestValue " );
// a.Domain=Request.ServerVariables["HTTP_HOST"];
a.HttpOnly = false ;
Response.Cookies.Add(a);

HttpCookieb = new HttpCookie( " TestB " , " TestB " );
b.HttpOnly = true ;
// b.Domain=Request.ServerVariables["HTTP_HOST"];
Response.Cookies.Add(b);
Response.Write( " System.Web.HttpCookie;------------<br/> " );
for ( int i = 0 ;i < Request.Cookies.Count;i ++ )
{
HttpCookiecook = Request.Cookies[i];

Response.Write( " <Br/> " );
Response.Write( " Cookie: " );
Response.Write( string .Format( " {0}={1} " ,cook.Name,cook.Value) + " <Br/> " );
// Response.Write(string.Format("Domain:{0}",cook.Domain)+"<Br/>");
Response.Write( string .Format( " Path:{0} " ,cook.Path) + " <Br/> " );
Response.Write( string .Format( " Secure:{0} " ,cook.Secure) + " <Br/> " );
Response.Write( string .Format( " HttpOnly:{0} " ,cook.HttpOnly) + " <Br/> " );
}

//
// System.Net.CookieContainerCookieContainerObject=newSystem.Net.CookieContainer();
System.Net.CookieCollectionCookieCollectionObject = new System.Net.CookieCollection();
System.Net.Cookiea2 = new System.Net.Cookie( " TestName2 " , " TestValue2 " );
a2.HttpOnly = false ;
a2.Domain = Request.ServerVariables[ " HTTP_HOST " ];
// CookieContainerObject.Add(a2);
CookieCollectionObject.Add(a2);

System.Net.Cookieb2 = new System.Net.Cookie( " TestB2 " , " TestB2 " );
b2.HttpOnly = true ;
b2.Domain = Request.ServerVariables[ " HTTP_HOST " ];
// CookieContainerObject.Add(b2);
CookieCollectionObject.Add(b2);

Response.Write( " <Br/> " );
Response.Write( " System.Net.Cookie;*********************<br/> " );
foreach (System.Net.Cookieck in CookieCollectionObject)
{

Response.Write( " <Br/> " );
Response.Write( " Cookie: " );
Response.Write( string .Format( " {0}={1} " ,ck.Name,ck.Value) + " <Br/> " );
// Response.Write(string.Format("Domain:{0}",ck.Domain)+"<Br/>");
Response.Write( string .Format( " Path:{0} " ,ck.Path) + " <Br/> " );
Response.Write( string .Format( " Secure:{0} " ,ck.Secure) + " <Br/> " );
Response.Write( string .Format( " HttpOnly:{0} " ,ck.HttpOnly) + " <Br/> " );
}

该段代码的功能主要是测试能否正确读写Cookie

结果如下：

Code
<!-- {cps..12}-->System.Web.HttpCookie;------------

Cookie:TestName=TestValue
Domain:10.103.33.102:2888
Path:/
Secure:False
HttpOnly:False

Cookie:TestB=TestB
Domain:10.103.33.102:2888
Path:/
Secure:False
HttpOnly:True

System.Net.Cookie;*********************

Cookie:TestName2=TestValue2
Domain:10.103.33.102:2888
Path:
Secure:False
HttpOnly:False

Cookie:TestB2=TestB2
Domain:10.103.33.102:2888
Path:
Secure:False
HttpOnly:True

再建一ConSole Application,

看看能否获取并修改该页面的Cookie

代码如下：

Code
<!-- {cps..13}-->string surl = " http://10.103.33.102:2888/TestCookie.aspx " ;
HttpWebRequestWebRequestObject = (HttpWebRequest)WebRequest.Create(surl);
WebRequestObject.CookieContainer = new CookieContainer();
HttpWebResponseWebResponseObject = (HttpWebResponse)WebRequestObject.GetResponse();

System.Net.CookieCollectionCookieCollectionObject = new System.Net.CookieCollection();
// Printthepropertiesofeachcookie.
foreach (Cookiecook in WebResponseObject.Cookies)
{
Console.WriteLine( " -----------------------System.Web.HttpCookie-------------------------- " );
Console.WriteLine( " Cookie: " );
Console.WriteLine( " {0}={1} " ,cook.Name,cook.Value);
Console.WriteLine( " Domain:{0} " ,cook.Domain);
Console.WriteLine( " Path:{0} " ,cook.Path);
Console.WriteLine( " Port:{0} " ,cook.Port);
Console.WriteLine( " Secure:{0} " ,cook.Secure);
Console.WriteLine( " HttpOnly:{0} " ,cook.HttpOnly);
/**/ ////// Showthestringrepresentationofthecookie.
/// /Console.WriteLine("String:{0}",cook.ToString());
System.Net.Cookiec = new System.Net.Cookie();
c.Name = cook.Name;
c.Path = cook.Path;
c.HttpOnly = cook.HttpOnly;
c.Domain = cook.Domain;
c.Expires = cook.Expires;
c.Value = cook.Value;
CookieCollectionObject.Add(cook);
}

foreach (System.Net.Cookieck in CookieCollectionObject)
{

Console.WriteLine( " ----------------------System.Net.Cookie------------------------------------- " );
Console.WriteLine( " Cookie: " );
Console.WriteLine( " {0}={1} " ,ck.Name,ck.Value);
Console.WriteLine( " Domain:{0} " ,ck.Domain);
Console.WriteLine( " Path:{0} " ,ck.Path);
Console.WriteLine( " Port:{0} " ,ck.Port);
Console.WriteLine( " Secure:{0} " ,ck.Secure);
Console.WriteLine( " HttpOnly:{0} " ,ck.HttpOnly);

System.Web.HttpCookiec = new System.Web.HttpCookie(ck.Name);
c.Name = ck.Name;
c.Path = ck.Path;
c.HttpOnly = ck.HttpOnly;
c.Domain = ck.Domain;
c.Expires = DateTime.Now.AddDays( 1 );
c.Value = ck.Value + " --Update " ;
WebResponseObject.Cookies.Add(ck);
}

foreach (Cookiecook in WebResponseObject.Cookies)
{
Console.WriteLine( " -----------------UpdateedSystem.Web.HttpCookie-------------------------- " );
Console.WriteLine( " Cookie: " );
Console.WriteLine( " {0}={1} " ,cook.Name,cook.Value);
Console.WriteLine( " Domain:{0} " ,cook.Domain);
Console.WriteLine( " Path:{0} " ,cook.Path);
Console.WriteLine( " Port:{0} " ,cook.Port);
Console.WriteLine( " Secure:{0} " ,cook.Secure);
Console.WriteLine( " HttpOnly:{0} " ,cook.HttpOnly);

}

运行结果

Code
<!-- {cps..14}-->-----------------------System.Web.HttpCookie--------------------------
Cookie:
TestName=TestValue
Domain:10.103.33.102
Path:/
Port:
Secure:False
HttpOnly:False
-----------------------System.Web.HttpCookie--------------------------
Cookie:
TestB=TestB
Domain:10.103.33.102
Path:/
Port:
Secure:False
HttpOnly:True
----------------------System.Net.Cookie-------------------------------------
Cookie:
TestName=TestValue
Domain:10.103.33.102
Path:/
Port:
Secure:False
HttpOnly:False
----------------------System.Net.Cookie-------------------------------------
Cookie:
TestB=TestB
Domain:10.103.33.102
Path:/
Port:
Secure:False
HttpOnly:True
-----------------UpdateedSystem.Web.HttpCookie--------------------------
Cookie:
TestName=TestValue
Domain:10.103.33.102
Path:/
Port:
Secure:False
HttpOnly:False
-----------------UpdateedSystem.Web.HttpCookie--------------------------
Cookie:
TestB=TestB
Domain:10.103.33.102
Path:/
Port:
Secure:False
HttpOnly:True

请注意， c.Value = ck.Value+"--Update";这句在修改Cookie.value后并没有成功写入该页面的Cookie集合中，换言之，一个未知的客户端应用程序并没有通过读取一个页面的Cookie并修改再写入该页面的Cookie集合。

我的理解是：

1、System.Web.httpCookie主要是服务器端应用。 System.Net.Cookie主要是客户端程序应用，后者可以读取前者的Cookie属性和值，而不能修改服务器定义的Cookie。

2、System.Web.httpCookie.HttpOnly=true后，客户端脚本无法访问该Cookie,但其他程序仍然可以访问。

System.Net.Cookie.HttpOnly=true后，困其是客户端程序，故有更多的限制，不允许”页面脚本及其他程序“访问 该Cookie, 只有创建它的应用程序可以访问。并且在特定的Domain下。

值得注意的是：HttpOnly属性仅对IE 6 SP1以上的版本才有效，在FireFox3.01下也可以！但对于IE5.x的机器，可能就****

欢迎大伙指正。