Background#
Modern ASP.NET Core applications have Anti Forgery Token verification enabled by default.
When starting an ABP web application and configuring it with nginx reverse proxy and SSL, the ajax post requests generated on the page will report an error and respond with a 302 redirect to the Error page:
Troubleshooting#
Then it was found that when using the ajax requests wrapped by jQuery or ABP's Dynamic JavaScript API Client Proxies, the console of the application startup will prompt:
[11:18:11 WRN] The required antiforgery request token was not provided in either form field "__RequestVerificationToken" or header value "RequestVerificationToken".
And it will be found that the ajax request responds with a 302 redirect to the Error page with a 400 error.
The console prompt is clear, the token value is not passed in the form or request header, so we need to know where the token value is obtained. By checking the source code, we found the way to obtain it:
abp.utils.getCookieValue(abp.security.antiForgery.tokenCookieName)
That is, get the value of the key 'XSRF-TOKEN' from the cookie. However, by executing it in the console, it was found that the value obtained is null. But in the browser's cookie table, we can see 'XSRF-TOKEN', but when hovering over it, it prompts:
In simple terms, although this cookie is set, it has a Secure issue and is blocked by the browser, which is equivalent to not being set. Therefore, the value cannot be obtained in JavaScript, and without the value, the ajax request sent does not carry the token value. As a result, the abp server-side token verification will fail, and it will directly redirect to the error page.
Solution#
Open the ?WebModule file of the web project and add the following code:
public override void ConfigureServices(ServiceConfigurationContext context)
{
ConfigureAntiForgery();
}
private void ConfigureAntiForgery()
{
Configure<AbpAntiForgeryOptions>(options =>
{
options.TokenCookie.SecurePolicy = CookieSecurePolicy.Always;
});
}