Hi,
We want to set the HttpOnly = true and Secure = true for the below cookies
Abp.TenantId Abp.AuthToken Abp.AuthRefreshToken
So how can we do for these cookies. And after doing it everything should work as it is.
We even try the below links for the Abp.AuthToken and Abp.TenantId but it didn't work. https://support.aspnetzero.com/QA/Questions/11542/vulnerabilities---how-to-set-AbpAuthToken-cookie-Secure-flag-to-true https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero
We have attached the screenshot for your reference.
Need your urgent support on this. Thank You
Hi Team,
We are using ASP.NET CORE & Angular (single solution) .Net 7.0 framework. I've tried various things to set the cookie to true for httponly and secure.
The requirement was suggested by our security expert.
There are also a few other support posts about this issue, but none of them seem to provide a proper solution to this issue.
Need your urgent support on this.
Thank you.
Hi Team,
In our application, we want the Users to login with 2FA using google authenticator only. This is a mandatory for all users for the given tenant.
We noticed that the user has the privileged to disable the google authentication once set. This should not be allowed, as 2FA is a tenant policy.
Please provide solution for this.
Thanks,
Kind Regards, Kumar Prashant
Hi Team,
We are using Angular and MS SQL Standard edition. We have a need to deploy ASPNetZero application to about 100 customers on their own premise in a two tier setup of separate server for App and Database.
Do you have any recommended toolset/process for the deployment and periodic upgrades? Some customer may upgrade in skip cycles.
Thanks,
Kind Regards, Kumar Prashant
Hi Team,
It is recommended that user can reset the password only with newly reset password link sent to the registered email.
An attacker with the physical access to the victim may use the older link to reset the password on behalf of victim.
Please suggest.
Thanks,
Kind Regards, Kumar Prashant
Hi Team,
It is recommended to store users personal data in encrypted format in database for GDPR compliance. How we can achieve the same. Is there a recommended coding approach from you?
Thanks,
Kind Regards, Kumar Prashant
Hi Team,
There is direct URL access issue in asp.net zero project, where user can access static files without authentication.
For example any one can access this URL: d6be4d82.demo.aspnetzero.com/assets/sampleFiles/ImportUsersSampleFile.xlsx
We want to authentication checks for this URL, guide us how we can achieve this.
Thanks,
Kind Regards, Kumar Prashant
Hi Team,
In standard ASP.NET Zero projects there are two roles Admin and User. We want to introduced a new HR Role with ability to create Users.
The concern is the HR person while creating a user, can also give the User a HR role or Admin role. We do not want the HR person to create a user with any role. It should be limited to the default role.
Please advice
Thanks,
Kind Regards, Kumar Prashant
Hi Team,
While doing Vulnerability Assessment and Penetration Testing (VAPT) ASPNet zero application we found that Application is transmitting clear text password in Login page.
In this case attacker can use network sniffer tools to capture HTTP requests which contain user passwords.
Please see the attached screen shot for your reference.
Due to this our production deployment is gone on hold. Please look this issue on Priority and provide us the solution.
Thanks,
Kind Regards, Kumar Prashant
Hi Team,
We are getting following issue. Request you to please provide the solution ASAP.
Exception: The source IQueryable doesn't implement IAsyncEnumerable<MyApp.MyDto.Dtos.AddressCountryLookupTableDto>. Only sources that implement IAsyncEnumerable can be used for Entity Framework asynchronous operations
We tried using .Net Core based console app with aspnetzero support. In that we tried to do dependency injection of the services from MyApp. We tried invoking method from AddressesAppService from MyApp.
Below are the details of MyConsoleAppModule.cs, MyConsoleAppDbContext.cs and Program.cs code
1) Below is the module MyConsoleAppModule.cs - DependsOn(typeof(AbpEntityFrameworkModule))] public class MyConsoleAppModule : AbpModule
a> In its PreInitialize() , we read appsettings.json and did
IConfigurationRoot configuration = builder.Build(); Configuration.DefaultNameOrConnectionString = //connection string for DB of MyApp
b> In its Initialize(), We did service registration for AddressesAppService and what it depends on as below-
IocManager.RegisterAssemblyByConvention(Assembly.GetExecutingAssembly()); IocManager.Register<IAddressesAppService, AddressesAppService>(DependencyLifeStyle.Transient); IocManager.Register<IRepository<Address, long>>(DependencyLifeStyle.Transient); IocManager.Register<IRepository<Country, long>>(DependencyLifeStyle.Transient); IocManager.Register<IRepository<StateOrProvince, long>>(DependencyLifeStyle.Transient); IocManager.Register<IAddressesExcelExporter, AddressesExcelExporter>(DependencyLifeStyle.Transient); IocManager.Register<ITempFileCacheManager, TempFileCacheManager>(DependencyLifeStyle.Transient);
2) Also, we had MyConsoleAppDbContext.cs -
public class MyConsoleAppDbContext : AbpDbContext where we added below DbSet for the tables needed by AddressesAppService as below public virtual IDbSet<Address> Addresses { get; set; } public virtual IDbSet<Country> Countries { get; set; } public virtual IDbSet<StateOrProvince> StateOrProvince { get; set; }
public MyConsoleAppDbContext() : base("Default") {
}
public MyConsoleAppDbContext(string nameOrConnectionString) : base(nameOrConnectionString) {
}
static async Task Main(string[] args) { using (var bootstrapper = AbpBootstrapper.Create<MyConsoleAppModule>()) { bootstrapper.IocManager .IocContainer .AddFacility<LoggingFacility>(f => f.UseAbpLog4Net().WithConfig("log4net.config"));
bootstrapper.Initialize();
{
//Test_Way_MyAppAsync(bootstrapper.IocManager);
var result = await Test_Way_MyAppAsync(bootstrapper.IocManager);
if (result != null)
{
Console.WriteLine(result.ToList().Count);
}
}
}
public static async Task<List<AddressStateOrProvinceLookupTableDto>> Test_Way_MyAppAsync(IIocManager iocManager)
{
var addressesAppService = iocManager.Resolve<AddressesAppService>();
//below was a sync result returning service method and it worked well
//var result = addressesAppService.Object.GetAll();
//Console.WriteLine(result.StateOrProvinceId);
//below was a async result returning service method and here we had the exception var result = await addressesAppService.GetAllStateOrProvinceForTableDropdown(); //return result; return await Task.FromResult(result.ToList()); } }
Thanks,
Kind Regards, Kumar Prashant