Base solution for your next web application
Open Closed

HTTP-Only Anti-Forgery Token Error. #12323


User avatar
0
truist.software created

ASP.NET CORE MVC & jQuery: v13.3.0 .NET 8

Adding HTTP-Only to the XSRF-TOKEN cookie results in 400 (Bad Request) errors throughout the application. Followed "HTTP-Only Anti-Forgery Token in ASP.NET Zero" blog. https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero..

Attached is a screenshot from DevTools with a service call. All calls throughout the application result in a 400 (Bad Request) error.


7 Answer(s)
  • User Avatar
    0
    m.aliozkaya created
    Support Team

    Hi @truist.software,

    Can you share your request network and the cookies?

  • User Avatar
    0
    truist.software created

    Updated with Cookies and Network information.

  • User Avatar
    0
    m.aliozkaya created
    Support Team

    Hi @truist.software,

    Do you have a cookie like this?

    You may also have forgotten about using middleware.

  • User Avatar
    0
    truist.software created

    As the screenshots show I do have the XSRF-TOKEN cookie and the HttpOnly attribute is set. As stated initially, I did follow the blog and have implemented the Middleware and configured it in Startup.cs which is why the cookie is set to HttpOnly. The issue is that setting this cookie to HttpOnly results in 400 Bad Requests errors when accessing the Application pages.

  • User Avatar
    0
    m.aliozkaya created
    Support Team

    Hi @truist.software,

    Could you share your project with [email protected] ?

  • User Avatar
    0
    truist.software created

    I cannot share the project but I don't need to. If you just use: ASP.NET CORE MVC & jQuery: v13.3.0 .NET 8

    straight from the download and you follow the blog https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero you will see that the XSRF-TOKEN is set to HttpOnly per the blog but the application breaks with 400 Bad Request as you go through the different application features using the menu.

  • User Avatar
    0
    oguzhanagir created
    Support Team

    Hi @truist.software

    Your problem of getting 400 error here has been solved in other versions. Here you can use the latest version 14.0.0 if you want. The problem you described does not occur in the latest version.