UserApiController.cs

private readonly UserService _userService;
private readonly IAntiforgery _antiforgery;

public UserApiController(UserService userService,
                         IAntiforgery antiforgery)
{
    _userService = userService;
    _antiforgery = antiforgery;
}

private void RefreshCSRFToken()
{
    var tokens = _antiforgery.GetAndStoreTokens(HttpContext);
    HttpContext.Response.Cookies.Append("XSRF-TOKEN",
                                        tokens.RequestToken,
                                        new CookieOptions() { HttpOnly = false });
}

[HttpPost]
[Route("login")]
[ValidateAntiForgeryToken]
[ValidateModel]
[TrimInputStrings]
public async Task<IActionResult> Login([FromBody]LoginViewModel loginModel)
{
    var userDto = await _userService.LoginAsync(loginModel);

    if (userDto == null)
    {
        return Unauthorized("Invalid user name or password.");
    }

    var claimsIdentity = _userService.GenerateClaimsIdentity(userDto);

    var jwtToken = _userService.GenerateJwtToken(claimsIdentity);

    HttpContext.User = new ClaimsPrincipal(claimsIdentity);
    RefreshCSRFToken();

    HttpContext.Response.Cookies.Append("jwt",
                                        jwtToken,
                                        new CookieOptions() { HttpOnly = true });

    return Ok();
}