public ActionResult <User> GetUserByEmailAndPassword(string email, string password) { try { User user = context.User.Single(u => u.Email == email && u.Password == EncryptPassword.ConvertToEncrypt(password)); user.Password = EncryptPassword.ConvertToDecrypt(user.Password); var secretKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("superSecretKey@345")); var signingCredentials = new SigningCredentials(secretKey, SecurityAlgorithms.HmacSha256); var tokenOptions = new JwtSecurityToken( issuer: "http://localhost:16615", audience: "http://localhost:16615", claims: new List <Claim>(), expires: DateTime.Now.AddMinutes(5), signingCredentials: signingCredentials ); var tokenString = new JwtSecurityTokenHandler().WriteToken(tokenOptions); HttpContext.Response.Headers.Add("Access-Control-Allow-Origin", "*"); HttpContext.Response.Headers.Add("Access-Control-Allow-Credentials", "true"); HttpContext.Response.Cookies.Append("access_token", tokenString, new CookieOptions() { HttpOnly = true }); return(Ok(new { User = user })); } catch (ArgumentException) { return(BadRequest("Wrong credentials!")); } catch (InvalidOperationException) { return(Unauthorized()); } }