Hi,
We want to set the HttpOnly = true and Secure = true for the below cookies
Abp.TenantId Abp.AuthToken Abp.AuthRefreshToken
So how can we do for these cookies. And after doing it everything should work as it is.
We even try the below links for the Abp.AuthToken and Abp.TenantId but it didn't work. https://support.aspnetzero.com/QA/Questions/11542/vulnerabilities---how-to-set-AbpAuthToken-cookie-Secure-flag-to-true https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero
We have attached the screenshot for your reference.
Need your urgent support on this. Thank You
Hi Team,
We are using ASP.NET CORE & Angular (single solution) .Net 7.0 framework. I've tried various things to set the cookie to true for httponly and secure.
The requirement was suggested by our security expert.
There are also a few other support posts about this issue, but none of them seem to provide a proper solution to this issue.
Need your urgent support on this.
Thank you.
Hi @ismcagdas,
For existing project, in 2nd step it says,
Create an empty project from AspNet Zero website using your existing project name but select the version when you started development for your project. If you don't remember the initial AspNet Zero version you have started your project, you can check [*.Core/AppVersionHelper.cs].
How do we create empty project from AspNet Zero website?
Hi Team,
In our application, we want the Users to login with 2FA using google authenticator only. This is a mandatory for all users for the given tenant.
We noticed that the user has the privileged to disable the google authentication once set. This should not be allowed, as 2FA is a tenant policy.
Please provide solution for this.
Thanks,
Kind Regards, Kumar Prashant
Hi Team,
We are using Angular and MS SQL Standard edition. We have a need to deploy ASPNetZero application to about 100 customers on their own premise in a two tier setup of separate server for App and Database.
Do you have any recommended toolset/process for the deployment and periodic upgrades? Some customer may upgrade in skip cycles.
Thanks,
Kind Regards, Kumar Prashant
Hi Team,
It is recommended that user can reset the password only with newly reset password link sent to the registered email.
An attacker with the physical access to the victim may use the older link to reset the password on behalf of victim.
Please suggest.
Thanks,
Kind Regards, Kumar Prashant
Hi Team,
It is recommended to store users personal data in encrypted format in database for GDPR compliance. How we can achieve the same. Is there a recommended coding approach from you?
Thanks,
Kind Regards, Kumar Prashant
Hi Team,
There is direct URL access issue in asp.net zero project, where user can access static files without authentication.
For example any one can access this URL: d6be4d82.demo.aspnetzero.com/assets/sampleFiles/ImportUsersSampleFile.xlsx
We want to authentication checks for this URL, guide us how we can achieve this.
Thanks,
Kind Regards, Kumar Prashant
Hi,
We would like to do this for all API calls. Our function to encrypt/decrypt is ready. Can you please suggest the best place to make the function call at both the front end side and backend?
thanks
Hi Team,
In standard ASP.NET Zero projects there are two roles Admin and User. We want to introduced a new HR Role with ability to create Users.
The concern is the HR person while creating a user, can also give the User a HR role or Admin role. We do not want the HR person to create a user with any role. It should be limited to the default role.
Please advice
Thanks,
Kind Regards, Kumar Prashant