I am developing an ASP.NET Core 3.1 application. I am not using any kind of authentication, session data/logic and form elements. I see the .AspNetCore.Antiforgery cookie in my in my developer console, although I did not call services.AddAntiforgery()
in my Startup
class.
I found this StackOverflow question with a very unsatisfying accepted answer, since this cookie will still be sent to the client (pointed out by hemp's comment).
So my question is: How do I completely remove this CSFR cookie?
cookieless means that the sessionId is munged into the url for each request as opposed to setting a cookie on the browser.
By default, the SessionID value is stored in a non-expiring session cookie in the browser. If you specify cookieless="true" then: ASP.NET maintains cookieless session state by automatically inserting a unique session ID into the page's URL.
Asp.Net Core adds the anti forgery token automatically to the form
.
You need <form method="post" asp-antiforgery="false">
, this will omit the anti forgery token.
Even though this documentation of Microsoft says how to prevent Cross Site. There is a lot of material on how to ignore it -> https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-3.1#aspnet-core-antiforgery-configuration
All the appropriate techniques are listed in the docs.
As panoskarajohn says,
Asp.Net Core adds the anti forgery token automatically to the form.
Because it is a tag helper. So you can avoid the tag helper to stop the anti-forgery token. You can use the tag helper ‘!’ opt-out symbol
<!form method=”post”>
…
</!form >
Also, You can avoid the tag helper for the entire page.
@removeTagHelper Microsoft.AspNetCore.Mvc.TagHelpers.FormTagHelper, Microsoft.AspNetCore.Mvc.TagHelpers
Check this link http://blog.vivensas.com/cross-site-request-forgery-in-asp-net-core-formtaghelper/#avoidAntiForgeryToken
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With