Question about cookie creation method in abp.js #4836 | Support

nhontran created one year ago

ABP Framework version: v5.2.2
UI type: Angular
DB provider: EF Core
Tiered (MVC) or Identity Server Separated (Angular): yes

Hi, we got a code scan finding on the method below in abp.js in identity server:

    abp.utils.setCookieValue = function (key, value, expireDate, path) {
        var cookieValue = encodeURIComponent(key) + '=';

        if (value) {
            cookieValue = cookieValue + encodeURIComponent(value);
        }

        if (expireDate) {
            cookieValue = cookieValue + "; expires=" + expireDate.toUTCString();
        }

        if (path) {
            cookieValue = cookieValue + "; path=" + path;
        }

        document.cookie = cookieValue;
    };

The web application's function method creates a cookie, at line 623 of wwwroot/libs/abp/core/abp.js, and returns it in the response. However, the application is not configured to automatically set the cookie with the "httpOnly" attribute, and the code does not explicitly add this to the cookie.

I understand that the "HttpOnly" attribute cannot be set for a cookie using client-side JavaScript. However, I would like to request information about the cookies generated by the method in identity server, including their purpose and whether they contain any sensitive information.

Thank you.

3 Answer(s)

0

liangshiwei created one year ago
Support Team Fullstack Developer

Hi,

The Identityserver use CookieAuthentication and aspnet core identity. And the cookie created by: https://github.com/dotnet/aspnetcore/blob/main/src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs

nhontran created one year ago

Hi @liangshiwei, sorry if my question confused you, but I want to know what cookies are created by this method in abp.js

    abp.utils.setCookieValue = function (key, value, expireDate, path) {
        var cookieValue = encodeURIComponent(key) + '=';

        if (value) {
            cookieValue = cookieValue + encodeURIComponent(value);
        }

        if (expireDate) {
            cookieValue = cookieValue + "; expires=" + expireDate.toUTCString();
        }

        if (path) {
            cookieValue = cookieValue + "; path=" + path;
        }

        document.cookie = cookieValue;
    };

The purpose of using these cookies and do they contain any sensitive info?

0

liangshiwei created one year ago
Support Team Fullstack Developer

Hi,

It is just an extracted js method for creating cookies.

The purpose of using these cookies and do they contain any sensitive info?

We haven't used this method in framework or modules, so there is no any sensitive info

Have an answer to this question? Log in and write your answer.