Renaming Anti Forgery Token Cookie Name (__RequestVerificationToken) in ASP .NET MVC

We had an issue that only occurs in Internet Explorer. The site in our subdomain was throwing error user navigate from our main domain (example.com) to our subdomain (sub.example.com) but not when user navigate to subdomain straight away without ever visiting our main domain.  After extensive investigation, we found out that IE decided to pass over the _RequestVerificationToken from our domain to our subdomain. Because our domain and subdomain’s site were both written in ASP .NET MVC and we both were using .NET default anti forgery token.

This spinned off  a requirement for renaming ASP .NET MVC verification token. This requirement was later taken out [the subdomain decided to rename their cookie instead because their content is considerably smaller than us-thus require less regression testing]. As a result, this code was never been fully regression tested so use the following code with caution.

.NET Framework: .NET 4.5

First, we need to define the antiforgery cookie name in global.asax.cs:

public void Application_Start()
{

....
AntiForgeryConfig.CookieName = "__YourTokenName";
...

}

We will then need to define a new Html Helper as follow:

public static MvcHtmlString myAntiForgeryToken(this HtmlHelper helper)
{
return new MvcHtmlString(AntiForgery.GetHtml().ToString().Replace("__RequestVerificationToken", AntiForgeryConfig.CookieName));
}

The next step is to define a new attribute that we can decorate our secure controllers with that use the new cookie name:

using System;
using System.Web.Helpers;
using System.Web.Mvc;</code>

namespace myNamespace
{
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)]
public class myValidateAntiForgeryTokenAttribute :
FilterAttribute,
IAuthorizationFilter
{

public void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext == null)
{
throw new ArgumentNullException("filterContext");
}

try
{
var httpContext = filterContext.HttpContext;
var cookie = httpContext.Request.Cookies[AntiForgeryConfig.CookieName];
AntiForgery.Validate(cookie != null ? cookie.Value : null, httpContext.Request.Form[AntiForgeryConfig.CookieName]);
}
catch
{
throw;

}
}

}
}

Finally, we just need to Change every controller’s [ValidateAntiForgeryToken] to [myValidateAntiForgeryToken] and every view’s @Html.AntiForgeryToken() to @Html.myAntiForgeryToken()

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: