Rename AntiForgeryToken Hidden Input Name from __RequestVerificationToken

Question

(Doing this to obfuscate ASP.NET MVC Framework in web app.)

Have renamed the cookie name with static AntiForgeryConfig class via Helpers in Application_Start.

Global.asax:

AntiForgeryConfig.CookieName = "Test";

But still obvious AntiForgeryToken is being used due to input name:

Front End:

<input name="__RequestVerificationToken" type="hidden" value="blahblahblah" />

Arguably the value smells of MVC with encoding but not really sure what to about this. (Different issue really but comments/other approaches welcomed and appreciated regardless.)

Answer 1

After checking the source code on CodePlex, it appears that this value is hard-coded as a constant. So there's no easy way of changing this value. You can see this here: http://aspnetwebstack.codeplex.com/SourceControl/latest#src/System.Web.WebPages/Helpers/AntiForgeryConfig.cs

I'm surprised it's not configurable. Anyways, it appears that what you want to do is not possible.

However, I advice you create a feature request on Codeplex and hope they will implement it.

Note: If you want to go really hardcore, you could always download the code and make the modification, but this will probably give you more problems than it solves.

Answer 2

The answer to this StackOverflow question should get you started.

Changing the input name is non-trivial. Both the Html.AntiForgeryToken helper and the ValidationAntiforgeryToken attribute rely on the input name being "__RequestVerificationToken". If you want it to be something else, you will need to drop down into using the AntiForgery API and create your own versions of both helper and attribute to validate against your chosen name.