The cookie `XSRF-TOKEN` is not HttpOnly

ebicoglu commented 1 year ago

Set the following cookies as HttpOnly

[x] XSRF-TOKEN
[x] AspNetCore.Culture
[x] idsrv.session (Identity Server cookie)

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page, then the cookie will be accessible and can be transmitted to another site. If this is a session cookie, then session hijacking may be possible.

maliming commented 1 year ago

`XSRF-TOKEN` `AspNetCore.Culture`

We need to use XSRF-TOKEN and AspNetCore.Culture in JavaScript(angular).

`idsrv.session`

It's by Identity Server design. https://github.com/IdentityServer/IdentityServer3/issues/3512

ebicoglu commented 1 year ago

All the pages that are setting XSRF-TOKEN , .AspNetCore.Culture and idsrv.session in the HTTP response are reported as "No HttpOnly Flag" vulnerability. This is a positive alert. idsrv.session cookie is being used in IDS4 and after ABP 6.x the support for IDS will be dropped therefore this cookie will not be used anymore. Also, there is an issue related to the idsrv.session cookie cannot be set as HttpOnly; you can see the related thread at its own repository https://github.com/IdentityServer/IdentityServer4/issues/3873.

On the other hand, the cookies .AspNetCore.Culture and XSRF-TOKEN are being retrieved via JavaScript in ABP Angular, MVC and Blazor WASM projects. Therefore cannot be set as HttpOnly. You can check out the following modules that retrieve these cookies via JavaScript:

Setting XSRF-TOKEN cookie as HttpOnly: If you want to set you can do it in AbpAntiForgeryOptions class.

Setting .AspNetCore.Culture cookie as HttpOnly: If you want to set you can do it in AbpRequestCultureCookieHelper class. Set the option HttpOnly = true.

Closing this issue because no need a fix right now.

abpframework / abp