开发者

What is the cookie related to /_vti_bin/Discovery.asmx and why can't I set its Secure attribute?

I have a WSS 3.0 site that uses forms authentication. In addition to my authentication cookie I get a cookie that contains data like this:

2FDiscovery=WorkspaceSiteName=aHR0cDovL3d3dy5rZWxldi5iaXo=&WorkspaceSiteUrl=
aHR0cHM6Ly9zdGFnaW5nLWluc2lnaHQubmNqcnMuZ292&WorkspaceSiteTime=MjAwOS
0xMi0xMFQxNDo1ODoxMQ==; path=/_vti_bin/Discovery.asmx;

This cookie does not have the Secure attribute set, even though I have requireS开发者_如何学编程SL="true" in my web.config and the other cookies have the attribute.

I do not know if this cookie originates in WSS or in forms authentication in general.

Does anyone know what the cookie does (or what /_vti_bin/Discovery.asmx does, for that matter) and why the attribute doesn't seem to get picked up from the web.config?


The content of the cookie (WorkspaceSiteName, WorkspaceSiteUrl, WorkspaceSiteTime) suggests it is used by MS Office to remember the recently used SharePoint Workspaces so it can show it to you when you like to save a document in MS Word for example. I haven't verified this though. In my experience, the cookie has a persistence period of 30 days, which would mean that MS Office remembers the workspaces you have visited the last 30 days.

Regarding your requireSSL=true entry in web.config not being picked up, in which web.config did you put the entry? The web.config at the root of your web site (in the c:\inetpub\wwwroot\wss\virtualdirectories\<sitename> folder) is the wrong web.config! _vti_bin is configured as a virtual directory in IIS and maps to the physical path C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\isapi. There is a seperate web.config in that location.


When googling for Discovery.asmx the only clue i get is that this service is used by WIndows Live ID. Apparently it is active even when Live ID is not the actual authentication provider used on that website.

You could try blocking access to this service using IIS directly? Just open the IIS manager and find the service. Then block all outside access to it. Not to sure what possibilities there are regarding this though (disable all authentication, or add a redirect to 404 page rule to it...)

P.S. Make sure it doesn't pose an actual security hole / threat first though.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜