Why is the antiforgery token in MS example appending the token only on "/" or "/index/html"
I'm working on an angular SPA front end and C# web api backend. I want to use antiforgery cookies. The front end and backend live on the same server on different ports (not sure if any of this is relevant to the question).
I've got the antiforgery cookie correctly working - if I visit my page directly, www.mywebsite.com, then the token is appended and everything works fine.. However, if I visit my angular SPA starting at a URL that is not "/" or "/index.html" then the cookie is not appended and I get exceptions in my backend when trying to make calls. I think this is because I am implementing it as suggested here:
https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-8.0#generate-antiforgery-tokens-with-iantiforgery
Why do they only append the XSRF-TOKEN when the path is "/" or "/index.html"? And, if I should continue doing as in the example, how do I solve the problem I am having? i.e. if I visit www.mywebsite.com/en for example, the cookie is not appended and I get forgery token errors.
Thanks in advance!
Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core
Discover how to prevent attacks against web apps where a malicious website can influence the interaction between a client browser and the app.
0 Replies