-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recommended approach for using Secure/HttpOnly Cookies with ABP 8.x / Angular #20945
Comments
This document still works: https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero |
Thanks for the prompt reply - we already do as you suggested - see below. We are concerned about any other negative impact of making cookies namespace Aecom.BioInstinct
{
using Microsoft.AspNetCore.Builder;
public static class XsrfMiddleware
{
public static IApplicationBuilder UseHttpOnlyAntiForgeryToken(this IApplicationBuilder app)
{
return app.Use(async (ctx, next) =>
{
var tokens = ctx.Request.Cookies["XSRF-TOKEN"];
if (string.IsNullOrEmpty(tokens) == false)
{
ctx.Request.Headers["RequestVerificationToken"] = tokens;
}
await next();
});
}
}
} |
This is a problem is you should use the same domain for angular and backend otherwise the browser will not send the cookies The recommend way is not to use HttpOnly Cookie for |
Thanks - we use the same domain for angular and backend in this application. If there is a good reason not to use HttpOnly due to security architecture then we can leave it off and use that argument to counter our pen testers findings. However if the middleware solution is suitable for a single domain application then we might be better leaving the it with this. |
It's good |
Our application is using:
Pen test results have requested we make all cookies
HttpOnly
/Secure
.To achieve this we create this cookie policy:
And apply like this:
app.UseCookiePolicy();
The result is like this
However with
XSRF-TOKEN
cookieHttpOnly
the Antiforgery system is now broken. We think that client script will read this cookie to create a request header.As a work around we have found the following ASP.NET Zero Post
https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero.
We created the middleware suggested in this post and this appears to work.
Is this the correct approach using ABP? Its not documented on the following page https://abp.io/docs/latest/framework/infrastructure/csrf-anti-forgery. The statement "ABP completely automates CSRF preventing and works out of the box without any configuration" makes us doubt we should be modifying the default approach.
What is the recommended approach for using secure
HttpOnly
cookies with ABP to avoid breaking anti forgery and other parts of the system?The text was updated successfully, but these errors were encountered: