abpframework / abp

Open-source web application framework for ASP.NET Core! Offers an opinionated architecture to build enterprise software solutions with best practices on top of the .NET. Provides the fundamental infrastructure, cross-cutting-concern implementations, startup templates, application modules, UI themes, tooling and documentation.
https://abp.io
GNU Lesser General Public License v3.0
12.91k stars 3.44k forks source link

Recommended approach for using Secure/HttpOnly Cookies with ABP 8.x / Angular #20945

Open idbates opened 4 weeks ago

idbates commented 4 weeks ago

Our application is using:

Pen test results have requested we make all cookies HttpOnly / Secure.

To achieve this we create this cookie policy:

    private void ConfigureCookiePolicies(ServiceConfigurationContext context)
    {
        Configure<CookiePolicyOptions>(options =>
        {
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.Strict;
            options.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always;
            options.Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
        });

        context.Services.ConfigureApplicationCookie(options =>
        {
            options.Cookie.HttpOnly = true;
            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
            options.Cookie.SameSite = SameSiteMode.Strict; 
        });
    }

And apply like this:

app.UseCookiePolicy();

The result is like this

image

However with XSRF-TOKEN cookie HttpOnly the Antiforgery system is now broken. We think that client script will read this cookie to create a request header.

As a work around we have found the following ASP.NET Zero Post

https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero.

We created the middleware suggested in this post and this appears to work.

Is this the correct approach using ABP? Its not documented on the following page https://abp.io/docs/latest/framework/infrastructure/csrf-anti-forgery. The statement "ABP completely automates CSRF preventing and works out of the box without any configuration" makes us doubt we should be modifying the default approach.

What is the recommended approach for using secure HttpOnly cookies with ABP to avoid breaking anti forgery and other parts of the system?

realLiangshiwei commented 4 weeks ago

This document still works: https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero You must add the middleware to the top position.

And change X-XSRF-TOKEN to RequestVerificationToken

image
idbates commented 4 weeks ago

Thanks for the prompt reply - we already do as you suggested - see below. Please can you confirm that this is a recommended approach for using ABP framework with Angular and HttpOnly cookies?

We are concerned about any other negative impact of making cookies HttpOnly - will the culture cookie also work correctly with HttpOnly = true?


namespace Aecom.BioInstinct
{
    using Microsoft.AspNetCore.Builder;

    public static class XsrfMiddleware
    {
        public static IApplicationBuilder UseHttpOnlyAntiForgeryToken(this IApplicationBuilder app)
        {
            return app.Use(async (ctx, next) =>
            {
                var tokens = ctx.Request.Cookies["XSRF-TOKEN"];
                if (string.IsNullOrEmpty(tokens) == false)
                {
                    ctx.Request.Headers["RequestVerificationToken"] = tokens;
                }
                await next();
            });
        }
    }
}
realLiangshiwei commented 4 weeks ago

Thanks for the prompt reply - we already do as you suggested - see below.

This is a problem is you should use the same domain for angular and backend otherwise the browser will not send the cookies

The recommend way is not to use HttpOnly Cookie for XSRF-TOKEN

idbates commented 4 weeks ago

Thanks - we use the same domain for angular and backend in this application.

If there is a good reason not to use HttpOnly due to security architecture then we can leave it off and use that argument to counter our pen testers findings. However if the middleware solution is suitable for a single domain application then we might be better leaving the it with this.

realLiangshiwei commented 4 weeks ago

Thanks - we use the same domain for angular and backend in this application.

It's good