I have followed the guide on this page, https://aspnetzero.com/blog/http-only-cookies-in-asp.net-zero-angular-ui, to support secure httponly cookies but I'm running into issues and I suspect it's because we are not using multi tenancy.
When running the project on the server it will not go beyond the login page. There are no errors on the console or network. It will simply redirect us back to the login page after logging in.
The only difference I can see from before and after making the change is that when it's calling /AbpUserConfiguration/GetAll the response coming back is missing data compared to what we had before. In the past the session section would have the userId but now it comes back as null. The theme information coming back is also different. I think it's coming back with the default values.
If we try to run the project locally, with IsHttpOnlyCookieEnabled set to false in the appsettings.json, we also ran into problems. In this case we could login but it would always take us to /app route while loading an improper theme. We found that we could fix this particular issue by ignoring the part of the guide where it wants to change getUserConfiguration() to stop setting the requestHeaders when calling /AbpUserConfiguration/GetAll. Adding the header back in at least fixed the behaviour locally.
Any ideas on how to fix this? We need to fix this within the next week for security reasons so any help would be appreciated.
<br>
private static getUserConfiguration(callback: () => void): any {
let requestHeaders = AppPreBootstrap.getRequetHeadersWithDefaultValues();
if(!abp.auth.isHttpOnlyCookieEnabled){
const token = abp.auth.getToken();
if (token) {
requestHeaders['Authorization'] = 'Bearer ' + token;
}
}
return XmlHttpRequestHelper.ajax(
'GET',
AppConsts.remoteServiceBaseUrl + '/AbpUserConfiguration/GetAll',
requestHeaders, //the guide wants to set this line to null but it causes issues
null,
(response) => {
let result = response.result;
_merge(abp, result);
abp.clock.provider = this.getCurrentClockProvider(result.clock.provider);
AppPreBootstrap.configureLuxon();
abp.event.trigger('abp.dynamicScriptsInitialized');
AppConsts.recaptchaSiteKey = abp.setting.get('Recaptcha.SiteKey');
AppConsts.subscriptionExpireNootifyDayCount = parseInt(
abp.setting.get('App.TenantManagement.SubscriptionExpireNotifyDayCount')
);
DynamicResourcesHelper.loadResources(callback);
}
);
5 Answer(s)
-
0
Hi @aiqbal,
First of all, your backend project and your Angular project must be located in the same domain. For example, if your Angular project is located in https://localhost:44300. Then your backend project *.Host must be located in https://localhost:44300/api.
Does your project comply with the rules mentioned above?
-
0
They do locally, but we are more concerned about what happens when we deploy to the server. In that case the angular website is hosted at admin.ourdomain.com and the api is located at api.ourdomain.com.
-
0
Hi @aiqbal,
After the Angular build, you can move the dist folder items to
*.Host/wwwroot. Then gowwwroot/assets/appconfig.production.jsonupdate"appBaseUrl": "https://localhost:44301",Then you can test it locally.The theme I selected before is installed successfully.
-
0
Hi. We have tried this but it did not work for us. Just to confirm are you running in single tenancy mode?
The theme/session issue mentioned is something we are seeing happening if we set IsHttpOnlyCookieEnabled to false but that isn't the important issue at the moment since we want to use the httponly cookie.
When we set IsHttpOnlyCookieEnabled to true then we cannot proceed past the login screen. We can see that it authenticated successfully but the user is forwarded back to the login screen right after. Do you know why this could be happening?
-
0
Hi @aiqbal,
I disabled the multi-tenancy and tested again. It is still working correctly.
Could you check the cookies?
Also, can you check the response header
You can review your codes from the sample project. https://github.com/aspnetzero/aspnet-zero-samples/tree/master/AngularHttpOnlyCookieDemo
