0

In .net Core with we use Configure antiforgery features with IAntiforgery along with [ValidateAntiForgeryToken] or AutoValidateAntiforgeryToken to Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks.

To configure antiforgery feature in middleware we use

var antiforgery = app.Services.GetRequiredService<IAntiforgery>();

app.Use((context, next) =>
{
    var requestPath = context.Request.Path.Value;

    if (string.Equals(requestPath, "/", StringComparison.OrdinalIgnoreCase)
        || string.Equals(requestPath, "/index.html", StringComparison.OrdinalIgnoreCase))
    {
        var tokenSet = antiforgery.GetAndStoreTokens(context);
        context.Response.Cookies.Append("XSRF-TOKEN", tokenSet.RequestToken!,
            new CookieOptions { HttpOnly = false });
    }

    return next(context);
});

Microsoft Doc Link

Now my Question is If We set new CookieOptions { HttpOnly = True }); then what changes do we need to do at server side as well as client side

Zeeshan
  • 484
  • 1
  • 5
  • 19

1 Answers1

1

Changes on client-side? Realistically, absolutely none.

It should be easier to use an HTTPOnly cookie rather than extracting and storing your client-side cookie/token manually. The HttpOnly cookie just stops the cookie from being interceptable via client-side JavaScript. As long as you aren't actually trying to grab that cookie from the request (and why would you, it's stored in cookies!), then it will automatically be sent along with all of your requests.

Server-side should work the same as always. HttpOnly is a client-side change

Mark Barton
  • 847
  • 6
  • 15
  • Thats what my question is , what mostly at clinet side change ?how this internally work if u could explain – Zeeshan Dec 15 '21 at 12:26
  • like I said; 'As long as you aren't actually trying to grab that cookie from the request (and why would you, it's stored in cookies!), then it will automatically be sent along with all of your requests'. But you downvoted me for some reason... Without seeing your client-side code, I can't know exactly what you are doing with your current token. All I can say is you can remove any logic on the front end that would involve manually retrieving the token and then attaching it to future requests, because the browser will take care of it all for you from now on. – Mark Barton Dec 15 '21 at 15:39
  • Mark I have not downvoted you,I was not clear with you answer that why just asked more in comment.Anyway thanks for the answer – Zeeshan Dec 16 '21 at 05:14
  • Even I have marked it as Useful. – Zeeshan Dec 16 '21 at 05:32