I am developing a basic ASP.NET web application using a combination of MVC Views and Web API. I also use Identity for user management.
Now I want to enable Anti-Request-Forgery tokens for our web API. To do this, I use the service IAntiForgeryin Razor views for GetAndStoreTokensand redirects the call RequestTokento $.ajaxas a header, as described in the official documentation in the JavaScript section.
When I launch the corresponding page that executes the Web API request with the user signature (Cookie-Authentication), I also see that the request token is correctly configured as an HTTP header (see the orange frame in the image). However, Anti-Forgery validation for ASP.NET Core rejects the request with the following message:
Antiforgery token validation error. The required anti-friction cookie ".AspNetCore.Antiforgery.ybHEizTXFmU" is missing.
Thus, the problem with the cookie for Anti-Forgery-Token (blue box) is that the key starts with a different identifier: .AspNetCore.Antiforgery.lUjKpn5xN20 instead of .AspNetCore.Antiforgery.ybHEizTXFmU
How can this happen? The web application and the web API are in the same process / in the same domain, so Cross-Origin-Calls are not made. Is this a problem $.ajax(which I cannot explain because browser cookies on the target site must be reused) or a problem in the ASP.NET Core Anti-Forgery module (or even Identity)?
feO2x source
share