please give me a code i want to prevent my website from csrf by using csrf-token, i want not to show page url or generate a random code in my url that expires every new time that we click on the link how can i do it?
There are great number of examples available in Google for CSRF-token.Language obviously you can only know whether you are using java or C#.Net or whatever.Please be specific while you are discussing on some topics.
If cookies are refused then the user gets a new session with each request, the site doesn't know it is a returning user. You can configure cookieless sessions in the config which will add a tracking ID to the url instead but this is generally a bad thing.
If you want cookieless sessions you need to enable them in the configuration and everyone uses them, even people who accept cookies. Generally I'd stick with cookies being required for sessions, if the user doesn't want to accept cookies then they have to put up with the consequences of that.
Chances are you won't find any good and free library that can do this. Most libraries are either paid solutions or incomplete indie projects. Your luck is, that you want to do this with .NET Core 2.0, which can accept any .NET framework targeting library, thus any NuGet library will work just fine. iTextSharp can be looked at, but I am unsure.
You may also need to update callback references in, for example, Paypal if you use their Instant Payment Notifications, and in Google Analytics.
Otherwise you can enforce https within web.config - but you may want to ensure everything is working first. You can obtain free SSL certificates from Lets Encrypt[^] - if you're on a Windows server, I quite like the Certify[^] manager for getting and installing them.
There no real need to test it locally - as I say, you can test it on https while leaving plain http in place, until you're happy it's all working, and then enforce https (See below). If you really want to, you can though - but exactly how depends on your local setup. You'll need to open your router, and point a domain to your machine and bind that in ISS... etc etc.
Here is what I put in web.config to enforce https:
This, but I would add that server configuration is not a developer's job; that's the responsibility of the System Admins. Let them handle SSL configuration, and write your application in a way that will allow them to do that.
"There are three kinds of lies: lies, damned lies and statistics."
- Benjamin Disraeli