CSRF Protection and HttpOnly cookies

I’m really just placing this here to help others, but over the weekend we experienced an Octopus outage after installing version 3.13.0. While I’m not certain in which version this was added, the CSRF protection JavaScript code in the client relies on access to the content of the antiforgery token cookie. As a result, this means the cookie itself cannot be marked as HttpOnly (since JavaScript code cannot access the content of HttpOnly cookies). For others who may be in a situation similar to us with a combination of load balancing and reverse proxies, if one of these components forces all cookies to be HttpOnly then you will not be able to progress past the sign-in screen.

In order to remediate the issue, you’ll need to adjust your load balancer and/or reverse proxy to allow for non-HttpOnly cookies. I just wanted to share since we spent a number of hours digging through the JavaScript trying to determine why it said that the antiforgery cookie was not present or invalid when it showed up in the Chrome developer tools. Hopefully this saves someone some time.

Hi Adam,

Thanks for the feedback and helping out other customers!

This is a scenario I hadn’t anticipated! I’ve raised this GitHub Issue to make it easier to detect and fix this kind of situation: https://github.com/OctopusDeploy/Issues/issues/3481

As part of this I’ve added some extra steps to help diagnose this specific scenario: https://octopus.com/docs/reference/csrf-and-octopus-deploy

Hope that helps!

Thanks, Michael! Though I would make one minor modification to the troubleshooting documentation you added: in our case the cookie wasn’t being stripped from the response, but the value of HttpOnly was being forced to true–this is what actually made debugging more difficult at first, as we could see the cookie that the JavaScript was looking for was actually present, but only later did was notice that HttpOnly was set to false when we hit the machine directly and true when it was going through the reverse proxy.

Hi Adam,

Thanks for getting in touch and looking through that documentation! Oh wow, I didn’t realise the cookie was being modified.

I’ve updated the guide accordingly. :slight_smile:

Happy Deployments!