How to set httpOnly flag for Abp.AuthToken cookie? - boilerplate

We are planning to build site using abpboilerplate (Augular) framework .in that we noticed that abp.authtoken cookie is setting without httponly flag and also cookie is setting using Angular code. Setting cookie without httponly is not good practise .Can anyone advise whether can set httponly for abp.authtoken ? or it is really abp boilerplate framework limitation

You can configure application cookies at startup like:
services.ConfigureApplicationCookie(options =>
{
options.Cookie.HttpOnly = true;
});

Related

How to inject cookies in the Authorization header when they are store in httpOnly

I store my token in cookies this way (server side) :
res.cookie('access_token', token. access_token, { httpOnly: true });
Therefore on the client side I could not inject it into the Authorization header since they're stored in httpOnly, anyone has an issue ? Or i'm required to extract the token manually on the server side to put it in the header ?
You can't access HttpOnly tokens from JavaScript, that is the purpose of that attribute.
A better approach is to not handle tokens at all in the browser and instead use the BFF-pattern (Backends for Frontends) as described in this video:
alert‘OAuth 2 0’; // The impact of XSS on OAuth 2 0 in SPAs

Is it possible to set an HttpOnly Cookie from one domain to another subdomain

I originally posted this question here: https://security.stackexchange.com/questions/255737/is-it-possible-to-set-an-httponly-cookie-from-one-domain-to-another-subdomain
Please keep in mind that this question is specific to cookies with the HttpOnly flag set to true.
I am pretty sure that the answer to my question is no, but I have been have a hard time finding an answer through official documentation or other posts here. Here is simple use case for some context:
Python backend web application (api.domain.com)
Frontend JavaScript SPA (app.domain.com)
post requests to api.domain.com/api/auth/login/ made from app.domain.com using axios with the correct username and password return a response with an access JWT token in the body and the response sets a refresh cookie with an HttpOnly flag [should fail, since I believe that the cookie cannot be set on app.domain.com from an API request to api.domain.com? -- this is my question]
the access token is stored in memory and passed with each API request
requests made to api.domain.com/api/auth/refresh/ are sent on a schedule to refresh the short-lived access token.
I typically host the frontend app and backend app on the same subdomain (app.domain.com) and do path-based routing with something like CloudFront or nginx, and this works well. For example, all requests starting with /api/* are sent to the backend, and all other requests are sent to the frontend app. Trying to use a separate subdomain for the API seems to fail no matter what options I use for setting the cookie on the server.
Can someone help me confirm that it is in fact not possible to set an HttpOnly cookie on a subdomain like app.domain.com from an API request hosted on api.domain.com? It would be great if anyone can also help me find where this could possibly be found in official documentation.
Searching for set httpOnly cookie across subdomains, I haven't found anything directly relevant. I also didn't find anything in these resources that directly answers my question:
https://owasp.org/www-community/HttpOnly
https://learn.microsoft.com/en-us/previous-versions//ms533046(v=vs.85)?redirectedfrom=MSDN
This is possible. In fact I just did it.
On your frontend, using Axios:
const baseURL = 'https://api.example.com';
const api = axios.create({
baseURL,
withCredentials: true,
});
On your backend, using Express:
app.use(
cors({
origin: 'https://www.example.com',
credentials: true,
}),
);
app.post('/login', async (req, res) => {
res.cookie('someCookie', someCookieValue, {
secure: true,
domain: 'example.com',
httpOnly: true,
});
});

ASP.Net Core 3.1with AzureAd Authentication generating SameSite Error Chrome

I am using Azure AD Authentication with ASP.Net Core 3.1 and when I Log In/Out I get a SameSite error in the console from chrome.
cookie associated with a cross-site resource at https://login.microsoftonline.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure
I can see in Application>Storage>Cookies i have a .AspNetCore.AzureADCookie with same site showing as SameSite None and a tick against secure.
Having looked through other questions and following code snippets I have seen multiple people report this is issue is fixed and others suggesting to add the following in the appropriate startup sections.
services.Configure<CookiePolicyOptions>(options =>
{
options.MinimumSameSitePolicy = SameSiteMode.None;
});
.AddCookie(options =>
{
options.Cookie.SameSite = SameSiteMode.None;
})
app.UseCookiePolicy(new CookiePolicyOptions
{
MinimumSameSitePolicy = SameSiteMode.None
});
I have tried these options and combinations of these options but the error persists.
Additionally, I tried generating a new project with the built in template in VS2019 NetCore 3.1 with Azure Auth and it results in the same error.
Could someone help with what configuration needed to eliminate this issue?

socket.io sets cross-site cookie without same-site attribute

I have a socket.io application and recently I got this warning:
A cookie associated with a cross-site resource at URL was set
without the SameSite attribute.
A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.
You can review cookies in developer tools under
Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592 and
https://www.chromestatus.com/feature/5633521622188032.`
Apparently it is something that Chrome will be updating in the future:
SameSite warning Chrome 77
I already tried this but to no apparent avail : io = io.listen(server, { cookie: false });
I think the cookie doesn't do anything, so how can I disable io from setting it?
As per the issue reported in Socket IOs' github repo, that cookie is not used for anything; you can disable it by setting cookie: false in the server options.
But what you have missed is setting {cookie: false} option when initializing the socket, not http.listen. The solution provided below worked for me that uses express as the server.
var server = require('http').createServer(express());
var io = require('socket.io')(server, { path:"/some/path", cookie: false });

XSRF-TOKEN not updated when using IISExpress and localhost

.Net Core api layer and .Net Core MVC w/ Angular2 front end. Locally, they are running in different website (localhost:xxx1 and localhost:xxx2) and published, the api is running in a sub directory of the frontend.
I've set up the .Net Core Antiforgery like so:
in the ConfigureServices section:
services.AddAntiforgery(options =>
{
options.HeaderName = "X-XSRF-TOKEN";
});
in the Configure section:
app.Use(next => context =>
{
var tokens = antiforgery.GetAndStoreTokens(context);
context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { HttpOnly = false });
return next(context);
});
When i initially launch the sites and browse to the website in Chrome, I do get the 2 Antiforgery tokens (.AspNetCore.Antiforgery.xxxx and the XSRF-TOKEN) and when I make a get/post/etc call I see the x-xsrf-token header is added to the call.
The problem is on each call, the api returns a new XSRF-TOKEN cookie but locally my cookie is not updated, it always contains the original value. When published online, this doesn't happen, the cookie updates every time.
I've tried setting the sites up locally to use localhost.somedomain.com but that didn't work.
Any suggestions as to what I'm doing wrong or how to get it working locally?
The issue on my local machine was that I was running each app in its own IIS Express (localhost:xxx1 and localhost:xxx2).
I ended up setting IIS up to host .net core following this article (https://learn.microsoft.com/en-us/aspnet/core/publishing/iis) and i'm getting the expected result.