Open Closed

Issues with Headers with ABP 5 solution #7624


User avatar
0
viswajwalith created

ABP Framework version: v5.1.3 UI Type: MVC Database System: SQL Server / MongoDB Tiered (for MVC) or Auth Server Separated (for Angular): yes Exception message and full stack trace: Steps to reproduce the issue: We are using the Active Directory for Login Process and request is getting blocked after after successuly login and redirecting to our web client

We are faciing issue with the User Cookie Headers with one of the Clients Firewall, The request header info is as follows:

GET /Account/Login/?__tenant=xxx HTTP/1.1 Accept: / Host: xxxxxx.xxx.xxx.xx Cookie: .AspNetCore.Antiforgery.c9JTe_bLGaM=CfDJ8FRhYrLUrBdPg2ipof6Ze16RfGI0ZJKke6iRRofx3cFbq_tGn3HTTRD_7JKLtMzMedYMb1l8OhPx3xX6z9j1-aSSaXj1SRk2ORAcb6KOtTPmaOjcZ6RopamvmEiecEu3ljT5TFHayk2MxFUVMCgqLDo; path=/; samesite=strict; httponly; XSRF-TOKEN=CfDJ8FRhYrLUrBdPg2ipof6Ze17tsIyUCs-tAYzfoekhfgr13OA5w4tyzwXj-Hl_E6Gwkpdtn4nXDZGTpm3EBEX64NjeDhuI5CF2ZCvUOB73MJj-CKIHYapt9k5BrFRIkhnmxvZx5UOy_ez2dO_9fGa_Cks; expires=Mon, 15 May 2034 23:36:10 GMT; path=/; secure; samesite=none; .AspNetCore.Mvc.CookieTempDataProvider=CfDJ8FRhYrLUrBdPg2ipof6Ze14-m4tMwAkRe0rwhNpl2P9u1CF-toHYP6HqsIRlyoOHBm8ptS-5uL5JuLZ5s_syooXW6nUzC0z1f-H_coYQTo3p4TIjHjpX6cSy58Pfl8LcZPBHqTw81Ez_jZsLan3eH9ncIklIKi3xuyIUZq89Cztb; path=/; samesite=lax; httponly; ARRAffinity=77f12f85c9afc4c4219e1ebcbabf3c363c124c1272c6f1766e41bee0c3ed9b13;Path=/;HttpOnly;Secure;Domain=xxxxxx.xxx.xxx.xx; ARRAffinitySameSite=77f12f85c9afc4c4219e1ebcbabf3c363c124c1272c6f1766e41bee0c3ed9b13;Path=/;HttpOnly;SameSite=None;Secure;Domain=xxxxxx.xxx.xxx.xx; DCT_SP_Cookie=!rJI1vQtcC6kQKiPgElklsn4lwoYxwAGdSfWPx/X43eEKGa3yOoLohwL48lwE7DmrTLv7W9uI7LC+bw==; path=/; Httponly; Secure; TS017caf0c=01dbd0522d0c40bd5dc6161d190c1229ca2cbc4113dbe13debd550f3bdabfcd49e51511c46a1c9492a9191fad0231d4f2609b2c9c05e4918267ed51bebfbd86bcbac3dd37dd5b6042d42ae7ef5f2cec887bdcb2905df6962249646cbb6079835441f65fdc686e12d6161abceb2c2bbd925a46d613e; Path=/; TS01fabc35=01dbd0522de0e527b70608f9798164443d8d592257dbe13debd550f3bdabfcd49e51511c46d62d98a6a8cdcd821467c3f3643848eaa95095303bb71f0943f66f4e46eea66659b83ba841df4eba10d273eddb730a1f; path=/; domain=xxxxxx.xxx.xxx.xx Accept-Encoding: gzip, deflate, br From: bingbot(at)microsoft.com User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36 X-Forwarded-For: 40.77.167.70 has context menu

The request is getting blocked may be because of samesite policy or some special characters. Do you guys have any idea on this? In mean time we are trying to different ways but your insights might be helpful.

We are facing this ABP 5 version not sure it will be there in latest versions or not but for now we cant upgrade.


7 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    could you share the error message and some screenshots?

  • User Avatar
    0
    viswajwalith created

    Hi,

    could you share the error message and some screenshots?

    Hi There is no error message as this is getting blocked by clients firewall system due to suspeous content of the headers shared. Let me know if you have any queries

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    you can try remove some headers to check if it's work

  • User Avatar
    0
    viswajwalith created

    you can try remove some headers to check if it's work

    Ok will try and update you.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    okay

  • User Avatar
    0
    viswajwalith created

    When we tried the same by hosting in our Dev Environemnt we observed that ARRAffinity cookie is not coming at all. We are suspecting something related to Azure Web APP hosting.

    On the other hand we tried adding code to remove "ARRAffinity" by

    public class RemoveARRAffinitySameSiteCookieMiddleware { private readonly RequestDelegate _next;

     public RemoveARRAffinitySameSiteCookieMiddleware(RequestDelegate next)
     {
         _next = next;
     }
    
     public async Task InvokeAsync(HttpContext context)
     {
         context.Response.OnStarting(() =>
         {
             context.Response.Cookies.Delete("ARRAffinitySameSite");
             return Task.CompletedTask;
         });
    
         await _next(context);
     }
    

    }

    In Auth server

    public override void OnApplicationInitialization(ApplicationInitializationContext context) { var app = context.GetApplicationBuilder(); var env = context.GetEnvironment();

     var configuration = context.ServiceProvider.GetRequiredService<IConfiguration>();
    
     app.Use(async (ctx, next) =>
     {
         if (ctx.Request.Headers.ContainsKey("from-ingress"))
         {
             ctx.SetIdentityServerOrigin(configuration["App:SelfUrl"]);
         }
    
         await next();
     });
    
     if (env.IsDevelopment())
     {
         app.UseDeveloperExceptionPage();
     }
    
     app.UseAbpRequestLocalization();
    
     if (!env.IsDevelopment())
     {
         app.UseErrorPage();
     }
    
     app.UseCorrelationId();
     app.UseStaticFiles();
     app.UseRouting();
     app.UseCors();
     app.UseHttpMetrics();
     app.UseAuthentication();
     app.UseJwtTokenMiddleware();
     app.UseMultiTenancy();
     app.UseAbpSerilogEnrichers();
     app.UseUnitOfWork();
     app.UseIdentityServer();
     app.UseAuthorization();
     app.UseAuditing();
     app.UseMiddleware<EhsWatchVeSecurityHeadersMiddleware>();
     app.UseMiddleware<RemoveARRAffinitySameSiteCookieMiddleware>();
     app.UseHsts();
     app.UseConfiguredEndpoints(endpoints =>
     {
         endpoints.MapMetrics();
     });
    

    }

    but still getting that cookie .

    the only difference is

    • Before Value: ARRAffinitySameSite=fd496f44e02cfb761c8aa28c89623dc7a80cfa26dff26b2575b73746f0673dbb;Path=/;HttpOnly;SameSite=None;Secure;Domain=xxxxxx.xxx.xxx.xx

    • Value After code change: ARRAffinitySameSite=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/

    do you this make any difference, but still we are not sure of removing ARRAffinitySameSite because this may impact the behaviour of load balancer

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    consider this https://medium.com/@chikuokuo/cookie-delete-on-net-framework-677b495901b9

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11