Is there a way to rename the RequestVerificationToken cookie name?

Question

Using ASP.net MVC v2.0, Any way to change the name of the __RequestVerificationToken cookie? In an effort to conceal our underlying technology stack, I’d like to rename the cookie to something that can’t be traced back to ASP.Net MVC.

More info on this at Steve Sanderson's blog.

Answer 1

ASP.NET MVC 3 and 4 let you change the cookie name by setting the static AntiForgeryConfig.CookieName property. (Msdn reference here)

I know that the question asks specifically about ASP.NET MVC 2, but this question still returns high up the search engine rankings for appropriate queries such as "ASP.NET MVC AntiForgeryToken cookie name". I thought I'd add the information here to save others from decompiling the ASP.NET MVC 3+ source code like I did.

Answer 2

Looking at the MVC 2 source code I dont think it's possible to change the cookie name. The AntiForgeryData class starts:

private const string AntiForgeryTokenFieldName = "__RequestVerificationToken";

and to get the cookie name it just calls:

string cookieName = AntiForgeryData.GetAntiForgeryTokenName(ViewContext.HttpContext.Request.ApplicationPath);

in the HtmlHelper class. It takes the application path and converts it to base 64 and appends it onto the end of __RequestVerificationToken which is what you see when you view the source.

If you really need to change the name I'd recommend downloading the MVC 2 source code from codeplex and look at creating your own html helper and anti forgery token using the source code as a reference. But in doing this you could always introduce your own bugs...