Tweaking the AntiForgeryToken on ASP.Net MVC

A release candidate for ASP.Net MVC has just been released –

It’s only got a few changes from the beta functionally but there is one thing they sneaked in from the futures assembly, the Anti Forgery Helper. It’s well worth taking a look at and Steve Sanderson did a great post on it while it was still in the Futures assembly (incidentally, his book, even in pre-release form is really good). They fixed the bug it had in the futures bundle that caused it to throw an exception if you use it from a virtual directory and presumably tidied it up some so it should be in the final release.

There is one thing it doesn’t appear to do currently however, and that’s allow you to specify the scope of the cookies it sets. In order to do that I created my own helper extension that just wraps around their method. All I do is set the path on the cookie to be the application path so that if it’s in a virtual directory, the cookie only affects that application. That way I can have a test and a live site running off the same box, just in different virtual directories.

public static class MyAntiForgeryExtensions
  // Methods
  public static string MyAntiForgeryToken(this HtmlHelper helper)
      return MyAntiForgeryToken(helper, null);

  public static string MyAntiForgeryToken(this HtmlHelper helper, 
                                          string salt)
    // for some reason it doesn't seem to be reading it right and
    // it then writes a cookie with a blank value.  Fatal later on.
    HttpContextBase context = helper.ViewContext.HttpContext;
    string fragment = helper.AntiForgeryToken(salt);
    HttpCookie cookie = context.Response.Cookies["__RequestVerificationToken"];
    cookie.Path = context.Request.ApplicationPath;
    return fragment;


That will work seamlessly with the existing helper and attributes, you just put a My in front of the AntiForgeryToken call in your .aspx.

<%= Html.MyAntiForgeryToken() %>

At the moment there is an additional kludge in there to prevent the asp cookie from being read again. Their token reads the old one and uses that to create a new one if it’s found. For some reason on my site that seems to result in it writing a blank value for the cookie. I haven’t figured out why or whether it’s something I’m doing but for now that kludge saves my website from crashing.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s