SPA code sample adds two cookies

[iantonge]

After copying the code sample provided for use with AngularJS, I noticed that two antiforgery cookies are being added: XSRF-TOKEN and .AspNetCore.Antiforgery.xxxxxxxxxxx. This appears to be because we're calling antiforgery.GetAndStoreTokens(context) rather than antiforgery.GetTokens(context).

Given that GetAndStoreTokens will add the cookie on our behalf anyway, maybe the sample should just set the name of the cookie when configuring the service (which is what I have done in my application).

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 47b14f57-82ac-a2e2-cbc7-22a81a60f4ac
• Version Independent ID: bffca13c-223f-c61f-9cb2-9da8811eecfa
• Content: Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core
• Content Source: aspnetcore/security/anti-request-forgery.md
• Product: aspnet-core
• Technology: aspnetcore-security
• GitHub Login: @steve-smith
• Microsoft Alias: riande

[Johnnybu]

Since I nearly assumed the same thing, I did a little research on this. It looks like this is the correct behavior because one is the request token (stored in a cookie so that JS can access it) and another is the session cookie token. See this excellently written article here for details: https://www.dotnetcurry.com/aspnet/1343/aspnet-core-csrf-antiforgery-token.

quote from the article:

More specifically, it implements a mixture of the Double Submit Cookie and Encrypted Token Pattern described in the OWASP cheat sheet.

[Rick-Anderson]

Thanks for contacting us. We believe that the question you've raised have been answered. If you still feel a need to continue the discussion, feel free to reopen it and add your comments.