Base solution for your next web application
Open Closed

Re: HttpOnly for Abp.AuthToken, Abp.AuthRefreshToken, and enc_auth_token cookies #11842


User avatar
0
aptys created

We use version 11.4 of the ASP.NET Core + Angular version of ASP.NET Zero, and I have a question about the HttpOnly attribute for the authentication cookies. The auth tokens are created by the Angular app, and because they are created by the client they cannot have the HttpOnly attribute when they are created. The Angular app appears to access the contents of the auth Abp.AuthToken and enc_auth_token after they are created, which means that they can never be marked HttpOnly.

The only information that I can find in the ASP.NET Zero documentation related to the HttpOnly attribute for cookies is in a fairly old report, https://docs.aspnetzero.com/en/common/latest/Security-Report-Core, but the notes about HttpOnly in that report do not seem to address the auth cookies.

Here’s my question: Is my description of why the authorization cookies cannot have the HttpOnly attribute accurate? If not, is there other ASP.NET Zero documentation that describes this?


1 Answer(s)