来自 MSDN:

当用户来回移动时在安全区域和公共区域之间，ASP.NET 生成的会话 cookie(或如果您启用了无 cookie 的 URL会话状态)随着他们进入明文，但身份验证cookie 永远不会被忽略未加密的 HTTP 连接只要因为设置了安全 cookie 属性.

When a user moves back and forth between secure and public areas, the ASP.NET-generated session cookie (or URL if you have enabled cookie-less session state) moves with them in plaintext, but the authentication cookie is never passed over unencrypted HTTP connections as long as the Secure cookie property is set.

所以基本上，如果 Secure 属性设置为 false，cookie 可以通过 HTTP 和 HTTPS 传递.

So basically, the cookie can be passed over both HTTP and HTTPS if the Secure property is set to false.

通过将其添加到我的 Global.asax 文件中，我避免了这个问题:

I have avoided this issue by adding this to my Global.asax file:

void Session_Start(object sender, EventArgs e) 
{
    if (Request.IsSecureConnection) Response.Cookies["ASP.NET_SessionID"].Secure = false;
}

这意味着如果会话 cookie 是通过 HTTP 创建的，则只能通过 HTTPS 访问.

This means that if the Session cookie is created over HTTP, it will only be accessible over HTTPS.