Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Rename AntiForgeryToken Hidden Input Name from __RequestVerificationToken

(Doing this to obfuscate ASP.NET MVC Framework in web app.)

Have renamed the cookie name with static AntiForgeryConfig class via Helpers in Application_Start.

Global.asax:

AntiForgeryConfig.CookieName = "Test";

But still obvious AntiForgeryToken is being used due to input name:

Front End:

<input name="__RequestVerificationToken" type="hidden" value="blahblahblah" />

Arguably the value smells of MVC with encoding but not really sure what to about this. (Different issue really but comments/other approaches welcomed and appreciated regardless.)

like image 225
user2303264 Avatar asked Jun 26 '13 20:06

user2303264


2 Answers

After checking the source code on CodePlex, it appears that this value is hard-coded as a constant. So there's no easy way of changing this value. You can see this here: http://aspnetwebstack.codeplex.com/SourceControl/latest#src/System.Web.WebPages/Helpers/AntiForgeryConfig.cs

I'm surprised it's not configurable. Anyways, it appears that what you want to do is not possible.

However, I advice you create a feature request on Codeplex and hope they will implement it.

Note: If you want to go really hardcore, you could always download the code and make the modification, but this will probably give you more problems than it solves.

like image 158
Kenneth Avatar answered Oct 04 '22 10:10

Kenneth


The answer to this StackOverflow question should get you started.

Changing the input name is non-trivial. Both the Html.AntiForgeryToken helper and the ValidationAntiforgeryToken attribute rely on the input name being "__RequestVerificationToken". If you want it to be something else, you will need to drop down into using the AntiForgery API and create your own versions of both helper and attribute to validate against your chosen name.

like image 36
Chris Pratt Avatar answered Oct 04 '22 08:10

Chris Pratt