1

I have angular 5 app and .net core 2.0 web api app hosted on azure as app services. Apps have two urls as below.

angularclient.azurewebsites.net
serviceapi.azurewebsites.net

The issue I am facing is angular app not receiving .AspNetCore.Antiforgery cookie that is sent by serviceapi. Http post request generated by angular app has "withCredentials: true" header. I have defined cors policy in service API as below.

      app.UseCors(builder => builder.WithOrigins("angularclient.azurewebsites.net").AllowAnyMethod().AllowAnyHeader());

I have sent a request using POSTMAN and test if cookies are sent by the server. For the POSTMAN request cookies are receiving without any issue. When I host the apps in my test IIS server and check. On that environment application working fine. Help me to find a solution to this issue.

bhathiya.m
  • 205
  • 1
  • 10
  • You say you have a problem with Anti-forgery cookie not being set, but you showed us the code for configuring cors. Angular expects a specific header name so.. you need to configure your aspnet core app correctly. See [here](https://damienbod.com/2017/05/09/anti-forgery-validation-with-asp-net-core-mvc-and-angular/) and [here](https://angular.io/api/common/http/HttpClientXsrfModule) – jpgrassi Dec 13 '18 at 14:23
  • Thanks for the advice. I have already configured my .net core app as you mentioned. Below are my .net core configurations `services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN");` `app.UseAntiforgeryTokenMiddleware("X-XSRF-TOKEN");` In application middleware configuration as below `context.Response.Cookies.Append(requestTokenCookieName, tokens.RequestToken, new CookieOptions() { HttpOnly = false });` – bhathiya.m Dec 14 '18 at 08:24
  • Can you post your entire `ConfigureServices` and `Configure` methods here? If it's too long, hide the not related parts. Configuring CORS has to happen before the call to `AddMvc`. – jpgrassi Dec 14 '18 at 08:38
  • Ah also: `context.Response.Cookies.Append..` use this for the cookie name `XSRF-TOKEN`. This is the default cookie name angular will look for, not `X-XSRF-TOKEN` as you are passing. – jpgrassi Dec 14 '18 at 08:48

1 Answers1

0

This takes a week to find a reason why this issue happened in azure app services. Reason was Microsoft has banned cookies on azurewebsites.net top domain by including it in public suffix list. You can find more details from here

bhathiya.m
  • 205
  • 1
  • 10