.netasp.net-mvccookiesumbracoumbraco7

@Html.AntiForgeryToken() RequestVerificationToken set-cookie header missing from response


I am using @Html.AntiForgeryToken() to protect a form.

When I load the page with the form in my local development environment, the response contains the following header:

set-cookie __RequestVerificationToken=<token>; path=/; HttpOnly

When I load the page in an Azure hosted environment, this response header is not present. Given than the header is missing, the cookie will not be set in my browser and validation will fail when I submit the form.

In my local environment I have tested this over HTTP with IIS Express and HTTPS with IIS.

Let me know if I can provide any more information about my local or Azure environment. The site is built using Umbraco 7 and I am also using NWebSec to enforce CSP.


Solution

  • I resolved this issue by adding the following line to my web.config file in the Azure environment:

    <httpCookies httpOnlyCookies="true" requiresSSL="true" />