.NET Core 3.1, Vue, Axios and [ValidateAntiForgeryToken]
As discussed in the comments on your question. I have a feint memory of it being related to the ordering of something in the AppStartup. Here is a dump of what I have. This currently works (well seems to).
/// <summary> /// This method gets called by the runtime. Use this method to configure the HTTP request pipeline. /// </summary> /// <param name="app">The <see cref="IApplicationBuilder"/>.</param> /// <param name="env">The <see cref="IHostingEnvironment"/>.</param> /// <param name="antiforgery">Enables setting of the antiforgery token to be served to the user.</param> public void Configure(IApplicationBuilder app, IHostingEnvironment env, IAntiforgery antiforgery) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); app.UseWebpackDevMiddleware(new WebpackDevMiddlewareOptions { HotModuleReplacement = true, }); } app.UseSession(); app.UseHttpsRedirection(); app.UseStaticFiles(); // global cors policy app.UseCors(x => x .AllowAnyOrigin() .AllowAnyMethod() .AllowAnyHeader()); // Authenticate before the user accesses secure resources. app.UseAuthentication(); app.Use(next => context => { string path = context.Request.Path.Value; if (path.IndexOf("a", StringComparison.OrdinalIgnoreCase) != -1 || path.IndexOf("b", StringComparison.OrdinalIgnoreCase) != -1) { // The request token can be sent as a JavaScript-readable cookie, // and Angular uses it by default. var tokens = antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { HttpOnly = false }); } return next(context); }); app.Use(next => context => { string timezone = context.Request.Headers["Timezone"]; if (!string.IsNullOrEmpty(timezone)) { context.Session.SetString(nameof(HttpContextSessionValues.SessionStrings.Timezone), timezone); } return next(context); }); app.UseExceptionHandler(errorApp => { errorApp.Run(async context => { context.Response.StatusCode = 500; context.Response.ContentType = "text/html"; var exHandlerFeature = context.Features.Get<IExceptionHandlerFeature>(); var exception = exHandlerFeature.Error; if (exception is PresentableException) { await context.Response.WriteAsync(exception.Message).ConfigureAwait(false); } else { await context.Response.WriteAsync("An Unexpected error has occured. You may need to try again.").ConfigureAwait(false); } }); }); app.UseHsts(); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); routes.MapSpaFallbackRoute( name: "spa-fallback", defaults: new { controller = "Home", action = "Index" }); }); }
Where is definition of HttpContextSessionValues.SessionStrings.Timezone ?