Cookieless ASP.NET Core

Asked 1/1, 2020 at 19:24 Answered 2/1, 2020 at 6:6

Solved c#asp.net-core cookies antiforgerytoken asp.net-core-3.1

I am developing an ASP.NET Core 3.1 application. I am not using any kind of authentication, session data/logic and form elements. I see the .AspNetCore.Antiforgery cookie in my in my developer console, although I did not call services.AddAntiforgery() in my Startup class.

I found this StackOverflow question with a very unsatisfying accepted answer, since this cookie will still be sent to the client (pointed out by hemp's comment).

So my question is: How do I completely remove this CSFR cookie?

Alduino answered 1/1, 2020 at 19:24 Comment(8)

What's the motivation for doing this? – Gastro 1/1, 2020 at 19:37

@KirkLarkin My motivation for doing this is to host a website without cookies. I think it's a nice feature, isn't it? – Galitea 1/1, 2020 at 19:45

asp.net core tags add it by default -> you need sth like this <form method="post" asp-antiforgery="false"> – Kuchen 1/1, 2020 at 19:54

while its a noble goal to have a site without cookies, the Antiforgery cookie is a security cookie that should not be removed imho. – Elecampane 1/1, 2020 at 20:5

@Elecampane The only form I have is the search input. There are no writing/modification processes in the whole website. It only displays plain data. From my research, the antiforgerytoken is not necessary in this case. Am I right? – Galitea 1/1, 2020 at 20:9

I would suggest using the AutoValidateAntiforgeryTokenAttribute which will require an anti forgery token only for unsafe requests. As long as the connection is secure your site wil not pass a token for GET,HEAD,OPTIONS,TRACE requests learn.microsoft.com/en-us/dotnet/api/…. Generally I would not omit the Anti Forgery but if you must at least have a small backup. – Kuchen 1/1, 2020 at 20:14

There are a number of ways to opt out of request verification: learnrazorpages.com/security/request-verification#opting-out – Halfslip 3/1, 2020 at 12:1

@KirkLarkin Please think that you have a razor page app with web API controllers for embedded devices. Razor pages are for UI and API is for devices. Since embedded devices using bearer token to authenticate, there is no need for a cookie like that. So, enable it for Razor Pages and disable it for web API controllers. – Ify 26/4, 2020 at 14:23

Asp.Net Core adds the anti forgery token automatically to the form.

You need <form method="post" asp-antiforgery="false">, this will omit the anti forgery token.

Even though this documentation of Microsoft says how to prevent Cross Site. There is a lot of material on how to ignore it -> https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-3.1#aspnet-core-antiforgery-configuration

All the appropriate techniques are listed in the docs.

Kuchen answered 1/1, 2020 at 20:4 Comment(5)

But the question asks how to disable the cookie not the token sent within the form. Even though there is no form or even no view generated, the token still is transferred by the server. – Ify 26/4, 2020 at 14:31

I am not familiar with what you are talking, could you please provide more info? – Kuchen 26/4, 2020 at 14:45

The question says a cookie is sent by the server. The name of the cookie is .AspNetCore.Antiforgery the method you propose does not remove or prevent the cookie. Applying the method in your answer only prevents the hidden input field to be inserted into the form. Your answer does not answer the question properly. – Ify 26/4, 2020 at 15:27

I am sorry i just tested this. No cookie is sent to the browser. I used chrome developers.google.com/web/tools/chrome-devtools/storage/cookies. Please provide evidence. Also make sure to delete the previous cookie that was created when the anti forgery was true. I am more than glad to update the answer. I just cannot reproduce what you are saying. You are correct though if there was a previous cookie until it expires it is still there.You have to manually delete it. Although your backend does not require it. Also feel free to answer this question yourself. – Kuchen 26/4, 2020 at 15:41

Sorry. That was my mistake. I was testing with Postman. I was sure I have cleared the cookies. But failed to do so. So I was seeing the stored cookie. Thank you for your reply. After testing with PowerShell I saw that no cookie was sent. – Ify 26/4, 2020 at 16:56

As panoskarajohn says,

Asp.Net Core adds the anti forgery token automatically to the form.

Because it is a tag helper. So you can avoid the tag helper to stop the anti-forgery token. You can use the tag helper ‘!’ opt-out symbol

<!form  method=”post”>
    …
</!form >

Also, You can avoid the tag helper for the entire page.

@removeTagHelper Microsoft.AspNetCore.Mvc.TagHelpers.FormTagHelper,  Microsoft.AspNetCore.Mvc.TagHelpers

Check this link http://blog.vivensas.com/cross-site-request-forgery-in-asp-net-core-formtaghelper/#avoidAntiForgeryToken

Dufy answered 2/1, 2020 at 6:6 Comment(0)

Recommended topics

Hot tags