I was trying to use ValidateAntiForgeryToken in .Net Core but I was getting .AspNetCore.Antiforgery.xxxxxxx cookie is missing.
What is this .AspNetCore.Antiforgery.xxxxxxx cookie?
Asked
Active
Viewed 2.5k times
1 Answers
31
ASP.NET Core looks for this cookie to find the X-CSRF token.
The
ValidateAntiForgeryTokenis an action filter that can be applied to an individual action, a controller, or globally for the app. Requests made to actions that have this filter applied will be blocked unless the request includes a valid antiforgery token.
In general ASP.NET Core may look for the token in cookie or header. So you may have the situation when
- instead of cookie the header is used to pass token
- cookie with token has the different name than the ASP.NET Core expected.
By default, the ASP.NET Core will generate and expect a unique cookie name beginning with the DefaultCookiePrefix (".AspNetCore.Antiforgery.").
This could be overriden using an antiforgery option CookieName:
services.AddAntiforgery(options => options.CookieName = "X-CSRF-TOKEN-COOKIENAME");
For .Net Core 2.0.0 or greater there will be changes:
For that use following:
services.AddAntiforgery(options => options.Cookie.Name = "X-CSRF-TOKEN-COOKIENAME");
If talking about header, name could be specified by:
services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN");
Look into:
- Preventing Cross-Site Request Forgery (XSRF/CSRF) Attacks in ASP.NET Core
- readme in Antiforgery repo contains links to samples
- SO: Using the antiforgery cookie in ASP.NET Core but with a non-default CookieName
-
Or ... If `Antiforgery` is somehow already added by default, you can configure it in the way shown here: https://github.com/aspnet/Antiforgery/issues/97#issue-169311974 – olfek Sep 29 '19 at 19:44