How to remove the cookie from request header and set with different name as a separate header in ASP.NET with C#?

Question

1.00/5 (2 votes)

See more:

I want to remove the cookie from request header and set with a different name "XSRFHeader" as a separate header in asp.net with c#. With the below code the same is working in some but not in all while checking via dev tool/burp tool. Code Portion is updated below.

What I have tried:

Core Code is as below:

var responseCookie = new HttpCookie(AntiXsrfTokenKey)
                    {
                        HttpOnly = true,
                        Value = _antiXsrfTokenValue
                    };
                    if (FormsAuthentication.RequireSSL && Request.IsSecureConnection)
                    {
                        responseCookie.Secure = true;
                    }

                    //Updated by Alex on 18.1.2022 for showing AntiXSRF Token Value as a separate header XSRFHeader instead in theresponse header Start
                    //Response.Cookies.Set(responseCookie);
                    try
                    {
                        Common.WriteDDSLog("Removing Coookie AntiXSRFToken from Header Started");
                        Response.Cookies["__AntiXsrfToken"].Value = string.Empty;
                        Response.Cookies["__AntiXsrfToken"].Expires = DateTime.Now.AddMonths(-20);
                        Common.WriteDDSLog("Removing Coookie  AntiXSRFToken from Header Finished");
                    }
                    catch(Exception ex)
                    {
                        Common.WriteDDSLog("Removing Coookie AntiXSRFToken from Header Failed:" + ex.Message + Environment.NewLine + ex.InnerException + Environment.NewLine + ex.StackTrace);
                    }
                    Response.AppendHeader("XSRFHeader", _antiXsrfTokenValue);
                    Common.WriteDDSLog("Response Header Appended with cookie name XSRFHeader1:"+_antiXsrfTokenValue);

Posted 2-Feb-22 18:48pm

Member 15421351

Updated 2-Feb-22 22:09pm

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Answer 1 · 2022-02-02T22:09:00

Solution 1

Your custom response header will have no effect on any web browser, and it will not be included with any subsequent requests made by the browser. It is therefore completely useless for preventing cross-site request forgery.

As I said last time you posted this question[^], you need to explain precisely why you think the anti-XSRF system extensively across the internet is somehow not suitable for your application. If you can't provide a cogent response to that, then you need to stop trying to reinvent the wheel.

Posted 2-Feb-22 22:09pm

Richard Deeming

Comments

Member 15421351 3-Feb-22 6:22am

It's a client requirement as such. This custom header code is coming well in my hosted environment but the same not coming in another server. I just want to know the reason for that.

Richard Deeming 3-Feb-22 6:28am

Part of your job as a developer is to tell the client when their requirements make no sense. You can't simply demand that the entire world changes to fit in with your client's requirement instead!

Agnes Skinner: "I want all my shopping in one bag. But I don't want that bag to be heavy!"
Bag packer: "Sorry ma'am, but I don't think that's possible."
Agnes Skinner: "Who are you, the 'possible' police? Just do it!"