ABP Framework version: v5.1.3 UI Type: MVC Database System: SQL Server / MongoDB Tiered (for MVC) or Auth Server Separated (for Angular): yes Exception message and full stack trace: Steps to reproduce the issue: We are using the Active Directory for Login Process and request is getting blocked after after successuly login and redirecting to our web client
We are faciing issue with the User Cookie Headers with one of the Clients Firewall, The request header info is as follows:
GET /Account/Login/?__tenant=xxx HTTP/1.1 Accept: / Host: xxxxxx.xxx.xxx.xx Cookie: .AspNetCore.Antiforgery.c9JTe_bLGaM=CfDJ8FRhYrLUrBdPg2ipof6Ze16RfGI0ZJKke6iRRofx3cFbq_tGn3HTTRD_7JKLtMzMedYMb1l8OhPx3xX6z9j1-aSSaXj1SRk2ORAcb6KOtTPmaOjcZ6RopamvmEiecEu3ljT5TFHayk2MxFUVMCgqLDo; path=/; samesite=strict; httponly; XSRF-TOKEN=CfDJ8FRhYrLUrBdPg2ipof6Ze17tsIyUCs-tAYzfoekhfgr13OA5w4tyzwXj-Hl_E6Gwkpdtn4nXDZGTpm3EBEX64NjeDhuI5CF2ZCvUOB73MJj-CKIHYapt9k5BrFRIkhnmxvZx5UOy_ez2dO_9fGa_Cks; expires=Mon, 15 May 2034 23:36:10 GMT; path=/; secure; samesite=none; .AspNetCore.Mvc.CookieTempDataProvider=CfDJ8FRhYrLUrBdPg2ipof6Ze14-m4tMwAkRe0rwhNpl2P9u1CF-toHYP6HqsIRlyoOHBm8ptS-5uL5JuLZ5s_syooXW6nUzC0z1f-H_coYQTo3p4TIjHjpX6cSy58Pfl8LcZPBHqTw81Ez_jZsLan3eH9ncIklIKi3xuyIUZq89Cztb; path=/; samesite=lax; httponly; ARRAffinity=77f12f85c9afc4c4219e1ebcbabf3c363c124c1272c6f1766e41bee0c3ed9b13;Path=/;HttpOnly;Secure;Domain=xxxxxx.xxx.xxx.xx; ARRAffinitySameSite=77f12f85c9afc4c4219e1ebcbabf3c363c124c1272c6f1766e41bee0c3ed9b13;Path=/;HttpOnly;SameSite=None;Secure;Domain=xxxxxx.xxx.xxx.xx; DCT_SP_Cookie=!rJI1vQtcC6kQKiPgElklsn4lwoYxwAGdSfWPx/X43eEKGa3yOoLohwL48lwE7DmrTLv7W9uI7LC+bw==; path=/; Httponly; Secure; TS017caf0c=01dbd0522d0c40bd5dc6161d190c1229ca2cbc4113dbe13debd550f3bdabfcd49e51511c46a1c9492a9191fad0231d4f2609b2c9c05e4918267ed51bebfbd86bcbac3dd37dd5b6042d42ae7ef5f2cec887bdcb2905df6962249646cbb6079835441f65fdc686e12d6161abceb2c2bbd925a46d613e; Path=/; TS01fabc35=01dbd0522de0e527b70608f9798164443d8d592257dbe13debd550f3bdabfcd49e51511c46d62d98a6a8cdcd821467c3f3643848eaa95095303bb71f0943f66f4e46eea66659b83ba841df4eba10d273eddb730a1f; path=/; domain=xxxxxx.xxx.xxx.xx Accept-Encoding: gzip, deflate, br From: bingbot(at)microsoft.com User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36 X-Forwarded-For: 40.77.167.70 has context menu
The request is getting blocked may be because of samesite policy or some special characters. Do you guys have any idea on this? In mean time we are trying to different ways but your insights might be helpful.
We are facing this ABP 5 version not sure it will be there in latest versions or not but for now we cant upgrade.
7 Answer(s)
-
0
Hi,
could you share the error message and some screenshots?
-
0
Hi,
could you share the error message and some screenshots?
Hi There is no error message as this is getting blocked by clients firewall system due to suspeous content of the headers shared. Let me know if you have any queries
-
0
-
0
-
0
okay
-
0
When we tried the same by hosting in our Dev Environemnt we observed that ARRAffinity cookie is not coming at all. We are suspecting something related to Azure Web APP hosting.
On the other hand we tried adding code to remove "ARRAffinity" by
public class RemoveARRAffinitySameSiteCookieMiddleware { private readonly RequestDelegate _next;
public RemoveARRAffinitySameSiteCookieMiddleware(RequestDelegate next) { _next = next; } public async Task InvokeAsync(HttpContext context) { context.Response.OnStarting(() => { context.Response.Cookies.Delete("ARRAffinitySameSite"); return Task.CompletedTask; }); await _next(context); }
}
In Auth server
public override void OnApplicationInitialization(ApplicationInitializationContext context) { var app = context.GetApplicationBuilder(); var env = context.GetEnvironment();
var configuration = context.ServiceProvider.GetRequiredService<IConfiguration>(); app.Use(async (ctx, next) => { if (ctx.Request.Headers.ContainsKey("from-ingress")) { ctx.SetIdentityServerOrigin(configuration["App:SelfUrl"]); } await next(); }); if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } app.UseAbpRequestLocalization(); if (!env.IsDevelopment()) { app.UseErrorPage(); } app.UseCorrelationId(); app.UseStaticFiles(); app.UseRouting(); app.UseCors(); app.UseHttpMetrics(); app.UseAuthentication(); app.UseJwtTokenMiddleware(); app.UseMultiTenancy(); app.UseAbpSerilogEnrichers(); app.UseUnitOfWork(); app.UseIdentityServer(); app.UseAuthorization(); app.UseAuditing(); app.UseMiddleware<EhsWatchVeSecurityHeadersMiddleware>(); app.UseMiddleware<RemoveARRAffinitySameSiteCookieMiddleware>(); app.UseHsts(); app.UseConfiguredEndpoints(endpoints => { endpoints.MapMetrics(); });
}
but still getting that cookie .
the only difference is
Before Value: ARRAffinitySameSite=fd496f44e02cfb761c8aa28c89623dc7a80cfa26dff26b2575b73746f0673dbb;Path=/;HttpOnly;SameSite=None;Secure;Domain=xxxxxx.xxx.xxx.xx
Value After code change: ARRAffinitySameSite=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/
do you this make any difference, but still we are not sure of removing ARRAffinitySameSite because this may impact the behaviour of load balancer
-
0
consider this https://medium.com/@chikuokuo/cookie-delete-on-net-framework-677b495901b9