Search code examples
c#.netasp.net-corecsrfx-xsrf-token

Changes in Client side if we are Setting HttpCookie.HttpOnly as true


In .net Core with we use Configure antiforgery features with IAntiforgery along with [ValidateAntiForgeryToken] or AutoValidateAntiforgeryToken to Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks.

To configure antiforgery feature in middleware we use

var antiforgery = app.Services.GetRequiredService<IAntiforgery>();

app.Use((context, next) =>
{
    var requestPath = context.Request.Path.Value;

    if (string.Equals(requestPath, "/", StringComparison.OrdinalIgnoreCase)
        || string.Equals(requestPath, "/index.html", StringComparison.OrdinalIgnoreCase))
    {
        var tokenSet = antiforgery.GetAndStoreTokens(context);
        context.Response.Cookies.Append("XSRF-TOKEN", tokenSet.RequestToken!,
            new CookieOptions { HttpOnly = false });
    }

    return next(context);
});

Microsoft Doc Link

Now my Question is If We set new CookieOptions { HttpOnly = True }); then what changes do we need to do at server side as well as client side


Solution

  • Changes on client-side? Realistically, absolutely none.

    It should be easier to use an HTTPOnly cookie rather than extracting and storing your client-side cookie/token manually. The HttpOnly cookie just stops the cookie from being interceptable via client-side JavaScript. As long as you aren't actually trying to grab that cookie from the request (and why would you, it's stored in cookies!), then it will automatically be sent along with all of your requests.

    Server-side should work the same as always. HttpOnly is a client-side change