Open Closed

How to enable 'Secure' flag for '.AspNetCore.Culture' cookie? #4904


User avatar
0
nhontran created
  • ABP Framework version: v5.2.2
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes / no
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

Hi, we received a pen test finding indicating that we need to enable the 'Secure' flag for the '.AspNetCore.Culture' cookie:

I have tried to enable by adding this code but it does not work:

Configure<CookiePolicyOptions>(options =>
{
    options.Secure = CookieSecurePolicy.Always;
});

Configure<AntiforgeryOptions>(options =>
{
    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
});  

could you please assist us on this request?


4 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    You can try this:

    public override void OnApplicationInitialization(ApplicationInitializationContext context)
    {
        var env = context.GetEnvironment();
        var app = context.GetApplicationBuilder();
    
        app.UseCookiePolicy(new CookiePolicyOptions()
        {
            OnAppendCookie = cookieContext =>
            {
                if (cookieContext.CookieName == CookieRequestCultureProvider.DefaultCookieName)
                {
                    cookieContext.CookieOptions.Secure = true;
                }
                
            }
        });
        
        ........
     }
    
  • User Avatar
    0
    nhontran created

    Hi @liangshiwei, I just tried it but it does not work, I feel the cookie is created at the front-end side (Angular) isn't it? I found these lines of code in angular:

  • User Avatar
    0
    mahmut.gundogdu created

    I feel the cookie is created at the front-e

    yes.. that provider created language cookie. You can override too with TOKEN. https://github.com/abpframework/abp/blob/dev/npm/ng-packs/packages/core/src/lib/providers/cookie-language.provider.ts

  • User Avatar
    0
    nhontran created

    Hi, I managed to override it already. Thanks

Made with ❤️ on ABP v9.1.0-preview. Updated on December 10, 2024, 06:38