Recommended approach for using Secure/HttpOnly Cookies with ABP 8.x / Angular

[idbates]

Our application is using:

• ABP 8.0.0
• Angular
• EF Core

Pen test results have requested we make all cookies HttpOnly / Secure.

To achieve this we create this cookie policy:

    private void ConfigureCookiePolicies(ServiceConfigurationContext context)
    {
        Configure<CookiePolicyOptions>(options =>
        {
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.Strict;
            options.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always;
            options.Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
        });

        context.Services.ConfigureApplicationCookie(options =>
        {
            options.Cookie.HttpOnly = true;
            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
            options.Cookie.SameSite = SameSiteMode.Strict; 
        });
    }

And apply like this:

app.UseCookiePolicy();

The result is like this

However with XSRF-TOKEN cookie HttpOnly the Antiforgery system is now broken. We think that client script will read this cookie to create a request header.

As a work around we have found the following ASP.NET Zero Post

https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero.

We created the middleware suggested in this post and this appears to work.

Is this the correct approach using ABP? Its not documented on the following page https://abp.io/docs/latest/framework/infrastructure/csrf-anti-forgery. The statement "ABP completely automates CSRF preventing and works out of the box without any configuration" makes us doubt we should be modifying the default approach.

What is the recommended approach for using secure HttpOnly cookies with ABP to avoid breaking anti forgery and other parts of the system?

[realLiangshiwei]

This document still works: https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero
You must add the middleware to the top position.

And change X-XSRF-TOKEN to RequestVerificationToken

[idbates]

Thanks for the prompt reply - we already do as you suggested - see below.
Please can you confirm that this is a recommended approach for using ABP framework with Angular and HttpOnly cookies?

We are concerned about any other negative impact of making cookies HttpOnly - will the culture cookie also work correctly with HttpOnly = true?

namespace Aecom.BioInstinct
{
    using Microsoft.AspNetCore.Builder;

    public static class XsrfMiddleware
    {
        public static IApplicationBuilder UseHttpOnlyAntiForgeryToken(this IApplicationBuilder app)
        {
            return app.Use(async (ctx, next) =>
            {
                var tokens = ctx.Request.Cookies["XSRF-TOKEN"];
                if (string.IsNullOrEmpty(tokens) == false)
                {
                    ctx.Request.Headers["RequestVerificationToken"] = tokens;
                }
                await next();
            });
        }
    }
}

[realLiangshiwei]

Thanks for the prompt reply - we already do as you suggested - see below.

This is a problem is you should use the same domain for angular and backend otherwise the browser will not send the cookies

The recommend way is not to use HttpOnly Cookie for XSRF-TOKEN

[idbates]

Thanks - we use the same domain for angular and backend in this application.

If there is a good reason not to use HttpOnly due to security architecture then we can leave it off and use that argument to counter our pen testers findings. However if the middleware solution is suitable for a single domain application then we might be better leaving the it with this.

[realLiangshiwei]

Thanks - we use the same domain for angular and backend in this application.

It's good