Base solution for your next web application
Open Closed

Cookie security - Setting HttpOnly = true and Secure = true in ASP.NET CORE & Angular .net 7 framework #11686


User avatar
0
KPCS created

Hi,

We want to set the HttpOnly = true and Secure = true for the below cookies

Abp.TenantId Abp.AuthToken Abp.AuthRefreshToken

So how can we do for these cookies. And after doing it everything should work as it is.

We even try the below links for the Abp.AuthToken and Abp.TenantId but it didn't work. https://support.aspnetzero.com/QA/Questions/11542/vulnerabilities---how-to-set-AbpAuthToken-cookie-Secure-flag-to-true https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero

We have attached the screenshot for your reference.

Need your urgent support on this. Thank You


20 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @KPCS

    Are you using Angular UI or MVC & jQuery ?

  • User Avatar
    0
    KPCS created

    Hi @ismcagdas

    ASP.NET CORE & Angular (single solution) Framework : .NET 7.0 Version : v12.2.1

  • User Avatar
    0
    KPCS created

    Hi @ismcagdas

    Any updates on above query.

  • User Avatar
    0
    KPCS created

    Hi @ismcagdas

    It's been so long, not a single response from your side. This security issue is really sensitive, and we need to fix it and delivered it on time. Please give some update.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @KPCS

    For Abp.AuthToken and Abp.AuthRefreshToken you can set HttpOnly as shown below;

    Yoıu can do the same for Abp.TenantId. To do this, you can create a new controller in Host project and call it's method with to set a cookie value in the callback event of IsTenantAvailable call on login page.

    Then, you need to write a custom middleware to get tokens and set them to request headers as shown below;

  • User Avatar
    0
    KPCS created

    Hi @ismcagdas

    Added the above code in TokenAuthController.cs and the below code in Startup.cs

    But still it's not working

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    Is this happening on development time or on production ?

  • User Avatar
    0
    KPCS created

    Hi @ismcagdas

    It is happening on both development as well as production.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Do you host Angular app and Host app under the same domain ? If so, is it possible to share the live app URL via [email protected] ?

  • User Avatar
    0
    KPCS created

    Hi @ismcagdas

    We have a same domain but different ports. Example: https://123.123.1.1:8084 -- Frontend -> https://qa.sapp.com https://123.123.1.1:8085 -- Backend -> https://apiqa.sapp.com

    It's not possible to share a live app URL. But we share a code base (fresh boiler plate) implementing the last solution provided by you, on the above mail.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @KPCS

    Thanks, we got the email and we will check it soon.

  • User Avatar
    0
    KPCS created

    Hi @ismcagdas

    We will be waiting for your response.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    Sorry for our late reply. We created a draft blog post about this use-case, you can check it here https://github.com/aspnetzero/documents/pull/277. It is currently under review but I think it will help you.

  • User Avatar
    0
    KPCS created

    Hi @ismcagdas,

    Sorry for late reply. We checked your provided link, the very first condition for that implementation is to have same domain name. But unfortunately, we can't have same domain names but still we tried that solution by implementing some extra logics and efforts, but none of them worked. Can you please help us find some other solutions.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    Sorry, I think I didn't get it correct. Depending on your answer , I thought, you are hosting Angular app and Host app under the same domain. If that's not the case, I'm not sure how to change the current architecture to the one you want. Becasue, different domains can't share cookies.

    Are you hosting these apps under the same domain but with different subdomains ?

  • User Avatar
    0
    KPCS created

    Hi @ismcagdas,

    Yes, we have different subdomains.

    Example: https://123.123.1.1:8084 -- Frontend -> https://qa.sapp.com https://123.123.1.1:8085 -- Backend -> https://qaapi.sapp.com

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    In this case, cookie sharing should work. Is it possible to send an email to [email protected] explaining how to reproduce the problem on live app and share a test user credentials ?

    Thanks,

  • User Avatar
    0
    KPCS created

    Hi,

    Due to security issues, we can't share a test user credentials. But we have mailed you the base code with your last implementation (https://github.com/aspnetzero/documents/pull/277) which is also not working. We request you to provide us with the solution for this issue ASAP and reshared that codebase with us.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @KPCS

    Thanks. We can continue via email for this ticket.

  • User Avatar
    0
    ESTeam created

    I have the same challenge as @KPCS. Were you able to resolve it?