Login/Register
Is there a way to rename the RequestVerificationToken cookie name?
Asked Answered
Solved asp.net-mvcsecuritycookiesantiforgerytoken
H

2

11

Using ASP.net MVC v2.0, Any way to change the name of the __RequestVerificationToken cookie? In an effort to conceal our underlying technology stack, I’d like to rename the cookie to something that can’t be traced back to ASP.Net MVC.

More info on this at Steve Sanderson's blog.

Howsoever answered 6/8, 2010 at 2:36 Comment(0)
I
3

Looking at the MVC 2 source code I dont think it's possible to change the cookie name. The AntiForgeryData class starts:

private const string AntiForgeryTokenFieldName = "__RequestVerificationToken";

and to get the cookie name it just calls:

string cookieName = AntiForgeryData.GetAntiForgeryTokenName(ViewContext.HttpContext.Request.ApplicationPath);

in the HtmlHelper class. It takes the application path and converts it to base 64 and appends it onto the end of __RequestVerificationToken which is what you see when you view the source.

If you really need to change the name I'd recommend downloading the MVC 2 source code from codeplex and look at creating your own html helper and anti forgery token using the source code as a reference. But in doing this you could always introduce your own bugs...

Indeterminism answered 6/8, 2010 at 9:13 Comment(1)
Thanks for providing such a detailed analysis. I think I just stick with the default name for now, not keen on maintaining more source code. Perhaps I'll make this request to the MVC team.Howsoever
C
31

ASP.NET MVC 3 and 4 let you change the cookie name by setting the static AntiForgeryConfig.CookieName property. (Msdn reference here)

I know that the question asks specifically about ASP.NET MVC 2, but this question still returns high up the search engine rankings for appropriate queries such as "ASP.NET MVC AntiForgeryToken cookie name". I thought I'd add the information here to save others from decompiling the ASP.NET MVC 3+ source code like I did.

Chronopher answered 5/3, 2013 at 15:56 Comment(1)
Unfortunately there is no equivalent for changing the hidden input name __RequestVerificationToken.Kalisz
I
3

Looking at the MVC 2 source code I dont think it's possible to change the cookie name. The AntiForgeryData class starts:

private const string AntiForgeryTokenFieldName = "__RequestVerificationToken";

and to get the cookie name it just calls:

string cookieName = AntiForgeryData.GetAntiForgeryTokenName(ViewContext.HttpContext.Request.ApplicationPath);

in the HtmlHelper class. It takes the application path and converts it to base 64 and appends it onto the end of __RequestVerificationToken which is what you see when you view the source.

If you really need to change the name I'd recommend downloading the MVC 2 source code from codeplex and look at creating your own html helper and anti forgery token using the source code as a reference. But in doing this you could always introduce your own bugs...

Indeterminism answered 6/8, 2010 at 9:13 Comment(1)
Thanks for providing such a detailed analysis. I think I just stick with the default name for now, not keen on maintaining more source code. Perhaps I'll make this request to the MVC team.Howsoever

© 2022 - 2024 — McMap. All rights reserved.