Open idbates opened 4 weeks ago
This document still works: https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero You must add the middleware to the top position.
And change X-XSRF-TOKEN
to RequestVerificationToken
Thanks for the prompt reply - we already do as you suggested - see below.
Please can you confirm that this is a recommended approach for using ABP framework with Angular and HttpOnly
cookies?
We are concerned about any other negative impact of making cookies HttpOnly
- will the culture cookie also work correctly with HttpOnly = true?
namespace Aecom.BioInstinct
{
using Microsoft.AspNetCore.Builder;
public static class XsrfMiddleware
{
public static IApplicationBuilder UseHttpOnlyAntiForgeryToken(this IApplicationBuilder app)
{
return app.Use(async (ctx, next) =>
{
var tokens = ctx.Request.Cookies["XSRF-TOKEN"];
if (string.IsNullOrEmpty(tokens) == false)
{
ctx.Request.Headers["RequestVerificationToken"] = tokens;
}
await next();
});
}
}
}
Thanks for the prompt reply - we already do as you suggested - see below.
This is a problem is you should use the same domain for angular and backend otherwise the browser will not send the cookies
The recommend way is not to use HttpOnly Cookie for XSRF-TOKEN
Thanks - we use the same domain for angular and backend in this application.
If there is a good reason not to use HttpOnly due to security architecture then we can leave it off and use that argument to counter our pen testers findings. However if the middleware solution is suitable for a single domain application then we might be better leaving the it with this.
Thanks - we use the same domain for angular and backend in this application.
It's good
Our application is using:
Pen test results have requested we make all cookies
HttpOnly
/Secure
.To achieve this we create this cookie policy:
And apply like this:
app.UseCookiePolicy();
The result is like this
However with
XSRF-TOKEN
cookieHttpOnly
the Antiforgery system is now broken. We think that client script will read this cookie to create a request header.As a work around we have found the following ASP.NET Zero Post
https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero.
We created the middleware suggested in this post and this appears to work.
Is this the correct approach using ABP? Its not documented on the following page https://abp.io/docs/latest/framework/infrastructure/csrf-anti-forgery. The statement "ABP completely automates CSRF preventing and works out of the box without any configuration" makes us doubt we should be modifying the default approach.
What is the recommended approach for using secure
HttpOnly
cookies with ABP to avoid breaking anti forgery and other parts of the system?