Open Closed

Question about cookie creation method in abp.js #4836


User avatar
0
nhontran created
  • ABP Framework version: v5.2.2
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes

Hi, we got a code scan finding on the method below in abp.js in identity server:

    abp.utils.setCookieValue = function (key, value, expireDate, path) {
        var cookieValue = encodeURIComponent(key) + '=';

        if (value) {
            cookieValue = cookieValue + encodeURIComponent(value);
        }

        if (expireDate) {
            cookieValue = cookieValue + "; expires=" + expireDate.toUTCString();
        }

        if (path) {
            cookieValue = cookieValue + "; path=" + path;
        }

        document.cookie = cookieValue;
    };

The web application's function method creates a cookie, at line 623 of wwwroot/libs/abp/core/abp.js, and returns it in the response. However, the application is not configured to automatically set the cookie with the "httpOnly" attribute, and the code does not explicitly add this to the cookie.

I understand that the "HttpOnly" attribute cannot be set for a cookie using client-side JavaScript. However, I would like to request information about the cookies generated by the method in identity server, including their purpose and whether they contain any sensitive information.

Thank you.


3 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    The Identityserver use CookieAuthentication and aspnet core identity. And the cookie created by: https://github.com/dotnet/aspnetcore/blob/main/src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs

  • User Avatar
    0
    nhontran created

    Hi @liangshiwei, sorry if my question confused you, but I want to know what cookies are created by this method in abp.js

        abp.utils.setCookieValue = function (key, value, expireDate, path) {
            var cookieValue = encodeURIComponent(key) + '=';
    
            if (value) {
                cookieValue = cookieValue + encodeURIComponent(value);
            }
    
            if (expireDate) {
                cookieValue = cookieValue + "; expires=" + expireDate.toUTCString();
            }
    
            if (path) {
                cookieValue = cookieValue + "; path=" + path;
            }
    
            document.cookie = cookieValue;
        };
    

    The purpose of using these cookies and do they contain any sensitive info?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    It is just an extracted js method for creating cookies.

    The purpose of using these cookies and do they contain any sensitive info?

    We haven't used this method in framework or modules, so there is no any sensitive info

Made with ❤️ on ABP v9.1.0-preview. Updated on December 12, 2024, 07:15