Cookie security - Setting HttpOnly = true and Secure = true in ASP.NET CORE & Angular .net 7 framework #11686

KPCS created one month ago

Hi,

We want to set the HttpOnly = true and Secure = true for the below cookies

Abp.TenantId Abp.AuthToken Abp.AuthRefreshToken

So how can we do for these cookies. And after doing it everything should work as it is.

We even try the below links for the Abp.AuthToken and Abp.TenantId but it didn't work. https://support.aspnetzero.com/QA/Questions/11542/vulnerabilities---how-to-set-AbpAuthToken-cookie-Secure-flag-to-true https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero

We have attached the screenshot for your reference.

Need your urgent support on this. Thank You

13 Answer(s)

0

ismcagdas created one month ago
Support Team

Hi @KPCS

Are you using Angular UI or MVC & jQuery ?
0

KPCS created one month ago

Hi @ismcagdas

ASP.NET CORE & Angular (single solution) Framework : .NET 7.0 Version : v12.2.1
0

KPCS created one month ago

Hi @ismcagdas

Any updates on above query.
0

KPCS created one month ago

Hi @ismcagdas

It's been so long, not a single response from your side. This security issue is really sensitive, and we need to fix it and delivered it on time. Please give some update.
0

ismcagdas created one month ago
Support Team

Hi @KPCS

For Abp.AuthToken and Abp.AuthRefreshToken you can set HttpOnly as shown below;

Yoıu can do the same for Abp.TenantId. To do this, you can create a new controller in Host project and call it's method with to set a cookie value in the callback event of IsTenantAvailable call on login page.

Then, you need to write a custom middleware to get tokens and set them to request headers as shown below;
0

KPCS created one month ago

Hi @ismcagdas

Added the above code in TokenAuthController.cs and the below code in Startup.cs

But still it's not working
0

ismcagdas created 25 days ago
Support Team

Hi,

Is this happening on development time or on production ?
0

KPCS created 25 days ago

Hi @ismcagdas

It is happening on both development as well as production.
0

ismcagdas created 25 days ago
Support Team

Do you host Angular app and Host app under the same domain ? If so, is it possible to share the live app URL via [email protected] ?
0

KPCS created 24 days ago

Hi @ismcagdas

We have a same domain but different ports. Example: https://123.123.1.1:8084 -- Frontend -> https://qa.sapp.com https://123.123.1.1:8085 -- Backend -> https://apiqa.sapp.com

It's not possible to share a live app URL. But we share a code base (fresh boiler plate) implementing the last solution provided by you, on the above mail.
0

ismcagdas created 23 days ago
Support Team

Hi @KPCS

Thanks, we got the email and we will check it soon.
0

KPCS created 19 days ago

Hi @ismcagdas

We will be waiting for your response.
0

ismcagdas created 5 days ago
Support Team

Hi,

Sorry for our late reply. We created a draft blog post about this use-case, you can check it here https://github.com/aspnetzero/documents/pull/277. It is currently under review but I think it will help you.

Have an answer to this question? Log in and write your answer.