0

Is there any way to set HttpOnly=false for cookie __RequestVerificationToken in Asp.Net MVC? Because I need to read it in javascript and send in request header.

Aleksa
  • 2,976
  • 4
  • 30
  • 49

1 Answers1

0

Don't do that. You can simply read and post the __RequestVerificationToken to the server by AJAX. Check the following links.

  1. send-and-validate-an-asp-net-antiforgerytoken-as-a-request-header
  2. include-antiforgerytoken-in-ajax-post-asp-net-mvc
vahid
  • 258
  • 2
  • 8
  • I just want to know if HttpOnly=false is possible and how to do it. Then I will decide if I will use it or not. – Aleksa Dec 06 '18 at 08:29
  • I think it is possible. for example, check this link(https://github.com/aspnet/Antiforgery/issues/29#issuecomment-165304489) – vahid Dec 06 '18 at 08:44
  • This link(https://rehansaeed.com/securing-the-aspnet-mvc-web-config/) is useful too. I believe you can find your answer there. – vahid Dec 06 '18 at 08:55