Using the antiforgery cookie in ASP.NET Core but with a non-default CookieName

asp.net asp.net-mvc cookies asp.net-core asp.net-core-mvc
10,520

You can set a different name in your Startup.ConfigureServices as in:

services.AddAntiforgery(opts => opts.CookieName = "MyAntiforgeryCookie");

For .Net Core 2.0.0 or greater there will be changes:

Reference: https://docs.microsoft.com/en-us/dotnet/api/Microsoft.AspNetCore.Antiforgery.AntiforgeryOptions?view=aspnetcore-2.0

For that use following:

services.AddAntiforgery(opts => opts.Cookie.Name = "MyAntiforgeryCookie");

By default AddMvc() internally calls AddAntiforgery(), which means you get the default cookie, header and form names. If you need to/want to use different names, you can do so by manually calling AddAntiforgery as above.

There should be no implications for your application if you change the cookie name (unless you added code yourself that manually used that cookie). You might also want to change the header/form name, for example the offical Antiforgery repo has an example that uses Angular and changes the header as the standard angular XSRF token header.

In order to use it, add the [ValidateAntiForgeryToken] to controller actions other than GET requests.

You have to do nothing else for standard html forms as long as you use the asp form tag helpers, see this question.

If you use ajax requests, then you will need to include either a header or a field within your request that includes the generated token. You basically need to:

  1. Get an IAntiforgery
  2. Call var tokenSet = antiforgery.GetAndStoreTokens(httpContext);

  3. Make it available to your js code so it knows about the value tokenSet.RequestToken to be included as either a field with name tokenSet.FormFieldName or a header with name tokenSet.HeaderName within each ajax request.

    • A few options for that like rendering the token into a JS object inside a script section in your js layout, adding a JS readable cookie as in the angular example, keep rendering hidden fields you include within the ajax request
    • There is a nice overview of the options in this answer

The aim is for POST/PUT/DELETE/PATCH requests to include 2 things:

  • the antiforgery cookie
  • the field/header with the token

So the antiforgery middleware can validate there was no XSRF.

Update about cookie name/domain

The sensible default is for each application to have its own cookie. You mostly get that with the default approach as no domain is specifically set on the cookie, so the cookie takes the domain from the request. That would mean different cookies for different applications unless the appliacations are hosted with the same domain.

  • Read more about how cookies work here

You might only want to share the cookie in special cases, for example if you have 2 applications where a form in app A posts to app B. In those cases make sure you use a domain/subdomain that matches both applications and both use the same cookiea name.

  • Read more about XSRF here
Share:
10,520
Jonas
Author by

Jonas

Updated on June 04, 2022

Comments

  • Jonas
    Jonas almost 2 years

    I'm thinking about changing name of the default antiforgery cookie in ASP.NET Core.

    The reason why I would like to change the cookie name is to anonymize the cookie, in my opinion there is no reason why end users should be able to determine the responsibility of this cookie.

    Microsoft.AspNetCore.Antiforgery.AntiforgeryOptions.CookieName

    1. How do I change the name of the antiforgery cookie? I guess it should be done in the Startup.cs file in somehow?
    2. What possible implications could occur by changing name the default antiforgery cookie?
    3. How do I use the antiforgery cookie in ASP.NET Core?
    4. Should different web applications (using same domain) share single antiforgery cookie, or should separate antiforgery cookies be created for each web application?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Asp.Net Core change url in launchSettings.json not working
.NET Core Web API: multiple [FromBody]?
Equivalent of "@section" in ASP.NET Core MVC?
What is the difference between MVC Controller and Web API Controller in ASP.NET MVC 6?
Dealing with large file uploads on ASP.NET Core 1.0
What is the equivalent of Server.MapPath in ASP.NET Core?
Replacement for System.Web.HttpUtility.UrlEncode/UrlDecode ASP.NET 5
System.Web.HttpContext.Current.get returned null in asp.net mvc controller
What is the best way to produce the report in asp.net core?
.NET Core 2 CookieAuthentication ignores expiration time span