You signed in with another tab or window.
Reload
to refresh your session.
You signed out in another tab or window.
Reload
to refresh your session.
You switched accounts on another tab or window.
Reload
to refresh your session.
All the pages that are setting
XSRF-TOKEN
,
.AspNetCore.Culture
and
idsrv.session
in the HTTP response are reported as "No
HttpOnly
Flag" vulnerability. This is a positive alert.
idsrv.session
cookie is being used in IDS4 and after ABP 6.x the support for IDS will be dropped therefore this cookie will not be used anymore. Also, there is an issue related to the
idsrv.session
cookie cannot be set as
HttpOnly
; you can see the related thread at its own repository
IdentityServer/IdentityServer4#3873
.
On the other hand, the cookies
.AspNetCore.Culture
and
XSRF-TOKEN
are being retrieved via JavaScript in ABP Angular, MVC and Blazor WASM projects. Therefore cannot be set as
HttpOnly
. You can check out the following modules that retrieve these cookies via JavaScript:
Setting
XSRF-TOKEN
cookie as
HttpOnly
:
If you want to set you can do it in
AbpAntiForgeryOptions
class.
Setting
.AspNetCore.Culture
cookie as
HttpOnly
:
If you want to set you can do it in
AbpRequestCultureCookieHelper
class. Set the option
HttpOnly = true
.
Closing this issue because no need a fix right now.