ASP.NET CORE MVC & jQuery: v13.3.0 .NET 8
Adding HTTP-Only to the XSRF-TOKEN cookie results in 400 (Bad Request) errors throughout the application. Followed "HTTP-Only Anti-Forgery Token in ASP.NET Zero" blog. https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero..
Attached is a screenshot from DevTools with a service call. All calls throughout the application result in a 400 (Bad Request) error.
7 Answer(s)
-
0
Hi @truist.software,
Can you share your request network and the cookies?
-
0
Updated with Cookies and Network information.
-
0
-
0
As the screenshots show I do have the XSRF-TOKEN cookie and the HttpOnly attribute is set. As stated initially, I did follow the blog and have implemented the Middleware and configured it in Startup.cs which is why the cookie is set to HttpOnly. The issue is that setting this cookie to HttpOnly results in 400 Bad Requests errors when accessing the Application pages.
-
0
Hi @truist.software,
Could you share your project with [email protected] ?
-
0
I cannot share the project but I don't need to. If you just use: ASP.NET CORE MVC & jQuery: v13.3.0 .NET 8
straight from the download and you follow the blog https://aspnetzero.com/blog/http-only-anti-forgery-token-in-asp.net-zero you will see that the XSRF-TOKEN is set to HttpOnly per the blog but the application breaks with 400 Bad Request as you go through the different application features using the menu.
-
0
Hi @truist.software
Your problem of getting 400 error here has been solved in other versions. Here you can use the latest version 14.0.0 if you want. The problem you described does not occur in the latest version.