How to Set HttpOnly Cookie with Unique Session ID during Token Generation #9293

Yaduraj.Shakti created one month ago

We are currently implementing token binding in our Identity Server using OpenIddict within the ABP.IO framework (v8.3.0), and we want to securely associate each access token with a unique session identifier stored in a HttpOnly cookie.

Our goal is to:

Set a HttpOnly, Secure, SameSite=None cookie (e.g., X-Session-Id) during /connect/token requests.
Store a unique session ID (e.g., Guid.NewGuid().ToString()) in the cookie.
Read this session ID inside a custom IAbpClaimsPrincipalContributor and bind it to a token claim (secure_session_id).
Validate this cookie against the claim on every subsequent request to prevent token reuse outside the originating browser/session.

What we tried so far:

Implemented a middleware that runs before await next(), sets the session ID in HttpContext.Items, and appends a HttpOnly cookie using context.Response.OnStarting():

context.Response.Cookies.Append("X-Session-Id", sessionId, new CookieOptions
{
    HttpOnly = true,
    Secure = true,
    SameSite = SameSiteMode.None,
    Path = "/",
    Expires = DateTimeOffset.UtcNow.AddHours(8)
});

Used this cookie value in a custom IAbpClaimsPrincipalContributor to add the session ID claim.
Validated the claim against the cookie in OnTokenValidated using a custom JwtBearerEvents.

We are not sure if this approach is fully aligned with ABP.IO best practices, especially regarding:

Correct place to hook into the token pipeline for cookie creation (/connect/token)
Whether context.Response.OnStarting() is safe and recommended inside a custom IApplicationBuilder.Use(...) extension
Any built-in support ABP.IO has for setting session-bound HttpOnly cookies alongside token issuance

Exception: As soon as any request includes cookies (due to withCredentials: true in Angular), our backend rejects the request — even if the cookies are unrelated to antiforgery.

maliming created one month ago

Support Team Fullstack Developer

and we want to securely associate each access token with a unique session identifier stored in a HttpOnly cookie.

Are you worried that the access token will be leaked?

Thanks.

Yaduraj.Shakti created one month ago

Hi @maliming

We have done security testing with some third party, and they have given this recommendation that in case access token can be spoofed or stolen then we must allow access token from valid user/device.

Please can you guide if implementing such case is possible or not.

maliming created one month ago

Support Team Fullstack Developer

access token can be spoofed or stolen

First, the access token can't be spoofed.

Then, if your Angular and server use HTTPS, it's also unlikely that the token gets stolen.

If the other party can steal your access token, then they can also steal the username and password, adding a session cookie will not provide protection.

Thanks.

Yaduraj.Shakti created one month ago

Hi @maliming,

Thanks for the clarification. We are using access token + refresh token flow to minimize the damage (If any case the JWT token is stolen).

Still, can you help with some examples of adding X-Session-Id, HttpOnly cookie in ABP.IO.

OR is there a way to bind token to specific device.

maliming created one month ago

Support Team Fullstack Developer

is there a way to bind token to specific device.

Third parties can also steal your cookie if the access token can be stolen.

Binding is meaningless.

Thanks.

Have an answer to this question? Log in and write your answer.

Question details

ABP Version (vX.X.X)

Database Management System

Tiered (MVC) or Auth Server Separated (Angular)

Boost Your Development

ABP Live Training
Packages

See Trainings

The Official Guide

Mastering
ABP Framework

Learn More

5 Answer(s)

ABP Live TrainingPackages

MasteringABP Framework

ABP Live Training
Packages

Mastering
ABP Framework