Cookieless ASP.NET Core

旧巷老猫 提交于 2020-01-30 05:17:06

问题


I am developing an ASP.NET Core 3.1 application. I am not using any kind of authentication, session data/logic and form elements. I see the .AspNetCore.Antiforgery cookie in my in my developer console, although I did not call services.AddAntiforgery() in my Startup class.

I found this StackOverflow question with a very unsatisfying accepted answer, since this cookie will still be sent to the client (pointed out by hemp's comment).

So my question is: How do I completely remove this CSFR cookie?


回答1:


Asp.Net Core adds the anti forgery token automatically to the form.

You need <form method="post" asp-antiforgery="false">, this will omit the anti forgery token.

Even though this documentation of Microsoft says how to prevent Cross Site. There is a lot of material on how to ignore it -> https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-3.1#aspnet-core-antiforgery-configuration




回答2:


As panoskarajohn says,

Asp.Net Core adds the anti forgery token automatically to the form.

Because it is a tag helper. So you can avoid the tag helper to stop the anti-forgery token. You can use the tag helper ‘!’ opt-out symbol

<!form  method=”post”>
    …
</!form >

Also, You can avoid the tag helper for the entire page.

@removeTagHelper Microsoft.AspNetCore.Mvc.TagHelpers.FormTagHelper,  Microsoft.AspNetCore.Mvc.TagHelpers

Check this link http://blog.vivensas.com/cross-site-request-forgery-in-asp-net-core-formtaghelper/#avoidAntiForgeryToken



来源:https://stackoverflow.com/questions/59555441/cookieless-asp-net-core

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!