Base solution for your next web application
Open Closed

HttpOnly for Abp.AuthToken, Abp.AuthRefreshToken, and enc_auth_token cookies #11891


User avatar
0
aptys created

We followed the instructions as recommended, first from the PR (where we provided feedback) and finally at the blog post HTTP-Only Cookies in ASP.NET Zero Angular UI | ASP.NET Zero (aspnetzero.com). We need to support CORS and have managed to get the cookies to download when the Angular app is a different domain (we can see them in the browser for the application), but the session in the Angular app is not getting the user information. We think that the issue is in the ABP framework where the session is constructed, but we don’t know. It seems to work when we copy the app to wwwroot as recommended in the blog post, but we don’t run that way in production. We’re on v11.4 and have adapted the recommended changes for that version.

Will implementing this be more successful on v13.x because it’s based on a later version of ABP? (The change history does not indicate that it will be, but we didn’t look at all the PRs.) If not, is there a way to get assistance to look at our specific code for this issue? If so, what’s involved with that?


1 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @aptys

    You can't use HttpOnly cookies if you host your Angular app in a different domain. Even if the server side returns the correct cookies, it will not be set on the client side because of different domain name.