abpframework
Recommended approach for using Secure/HttpOnly Cookies with ABP 8.x / Angular
Our application is using:
- ABP 8.0.0
- Angular
- EF Core
Pen test results have requested we make all cookies HttpOnly / Secure.
To achieve this we create this cookie policy:
private void ConfigureCookiePolicies(ServiceConfigurationContext context)
{
Configure<CookiePolicyOptions>(options =>
{
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.Strict;
options.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always;
options.Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
});
context.Services.ConfigureApplicationCookie(options =>
{
options.Cookie.HttpOnly = true;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.Cookie.SameSite = SameSiteMode.Strict;
});
}
And apply like this:
app.UseCookiePolicy();
The result is like this
However with XSRF-TOKEN cookie HttpOnly the Antiforgery system is now broken. We think that client script will read this cookie to create a request header.
As a work around we have found the following ASP.NET Zero Post
https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero.
We created the middleware suggested in this post and this appears to work.
Is this the correct approach using ABP? Its not documented on the following page https://abp.io/docs/latest/framework/infrastructure/csrf-anti-forgery. The statement "ABP completely automates CSRF preventing and works out of the box without any configuration" makes us doubt we should be modifying the default approach.
What is the recommended approach for using secure HttpOnly cookies with ABP to avoid breaking anti forgery and other parts of the system?
This document still works: https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero You must add the middleware to the top position.
And change X-XSRF-TOKEN to RequestVerificationToken
Thanks for the prompt reply - we already do as you suggested - see below.
Please can you confirm that this is a recommended approach for using ABP framework with Angular and HttpOnly cookies?
We are concerned about any other negative impact of making cookies HttpOnly - will the culture cookie also work correctly with HttpOnly = true?
namespace Aecom.BioInstinct
{
using Microsoft.AspNetCore.Builder;
public static class XsrfMiddleware
{
public static IApplicationBuilder UseHttpOnlyAntiForgeryToken(this IApplicationBuilder app)
{
return app.Use(async (ctx, next) =>
{
var tokens = ctx.Request.Cookies["XSRF-TOKEN"];
if (string.IsNullOrEmpty(tokens) == false)
{
ctx.Request.Headers["RequestVerificationToken"] = tokens;
}
await next();
});
}
}
}
Thanks for the prompt reply - we already do as you suggested - see below.
This is a problem is you should use the same domain for angular and backend otherwise the browser will not send the cookies
The recommend way is not to use HttpOnly Cookie for XSRF-TOKEN
Thanks - we use the same domain for angular and backend in this application.
If there is a good reason not to use HttpOnly due to security architecture then we can leave it off and use that argument to counter our pen testers findings. However if the middleware solution is suitable for a single domain application then we might be better leaving the it with this.
Thanks - we use the same domain for angular and backend in this application.
It's good
Not sure if my issue is related to this, but with 8.1 I am getting this error when trying to update the Profile Picture or any thing within the account management. This happens only when in production IIS, not locally, we have the auth server and api in different paths. but the problem started after we upgraded to 8.1.
see the video of the issue here: The first submit/save fail due to the error above, but after hitting save again it works. https://1drv.ms/v/s!AsorrL5KPcLJjuA6Ys3cTMOVVLEKJA?e=xXVCNS
Thanks for the prompt reply - we already do as you suggested - see below.
This is a problem is you should use the same domain for angular and backend otherwise the browser will not send the cookies
The recommend way is not to use HttpOnly Cookie for
XSRF-TOKEN
We have the same domain, but different path of Antiforgery (one for /api and one for \auth), Identity.Application (/auth) and the XSRF-TOKEN (/)
Is this the reason why when I hit the first save in the /account/manage it throws the error, and then if I hit save again it works? I noticed that the first save changes the XSRF-TOKEN value, while subsequent requests within the /account/manage will work, unless you refresh, then the issue happens again (first submit fail then the rest work)