Geek Answers Handbook

ASP.NET MVC 3 Counterfeit Protection for a Multiport Application Hosted on the Same Local Server

I have 2 websites, in fact they are the same. The goal is that one of them is intended for Internet users, and the second for local use. Now they are hosted on the same IIS server on my localhost machine. When I open these two websites and try to get the result of the action that is marked [ValidateAntiForgeryToken], I have a problem that in my cookies I have cookies for my localhost website and there is a cookie named " RequestVerificationToken_Lw ", which is a counterfeit security key. And the problem is that both sites use the same cookie to store this key. And so, if it was something on one website, I get an error against counterfeiting when I try to do smth. With another.

How can I change the cookie domain or any other cookie sharing solutions?

Thanks!

+4
source share
1 answer

Ok, let's see what ValidateAntiforgeryTokenAttribute does (Reflector / ILSpy is your friend):

  public void OnAuthorization (AuthorizationContext filterContext)
 {
     if (filterContext == null)
     {
         throw new ArgumentNullException ("filterContext");
     }
     string antiForgeryTokenName = AntiForgeryData.GetAntiForgeryTokenName (null);
     string antiForgeryTokenName2 = AntiForgeryData.GetAntiForgeryTokenName (filterContext.HttpContext.Request.ApplicationPath);
     HttpCookie httpCookie = filterContext.HttpContext.Request.Cookies [antiForgeryTokenName2];
     if (httpCookie == null || string.IsNullOrEmpty (httpCookie.Value))
     {
         throw ValidateAntiForgeryTokenAttribute.CreateValidationException ();
     }
     AntiForgeryData antiForgeryData = this.Serializer.Deserialize (httpCookie.Value);
     string text = filterContext.HttpContext.Request.Form [antiForgeryTokenName];
     if (string.IsNullOrEmpty (text))
     {
         throw ValidateAntiForgeryTokenAttribute.CreateValidationException ();
     }
     AntiForgeryData antiForgeryData2 = this.Serializer.Deserialize (text);
     if (! string.Equals (antiForgeryData.Value, antiForgeryData2.Value, StringComparison.Ordinal))
     {
         throw ValidateAntiForgeryTokenAttribute.CreateValidationException ();
     }
     string username = AntiForgeryData.GetUsername (filterContext.HttpContext.User);
     if (! string.Equals (antiForgeryData2.Username, username, StringComparison.OrdinalIgnoreCase))
     {
         throw ValidateAntiForgeryTokenAttribute.CreateValidationException ();
     }
     if (! this.ValidateFormToken (antiForgeryData2))
     {
         throw ValidateAntiForgeryTokenAttribute.CreateValidationException ();
     }
 }

Well, obviously, the cookie name for the token is made from the application path:

  string antiForgeryTokenName2 = AntiForgeryData.GetAntiForgeryTokenName (filterContext.HttpContext.Request.ApplicationPath);
     HttpCookie httpCookie = filterContext.HttpContext.Request.Cookies [antiForgeryTokenName2];

So, you create your own filter, just copy-paste this code and change it to respect the port (or something else because you distinguish your applications):

  string antiForgeryTokenName2 = AntiForgeryData.GetAntiForgeryTokenName (filterContext.HttpContext.Request.ApplicationPath + filterContext.HttpContext.Request.Url.Port);
     HttpCookie httpCookie = filterContext.HttpContext.Request.Cookies [antiForgeryTokenName2];

Thus, the cookie name ("RequestVerificationToken_Lw") will also change by port.

And, of course, we cannot forget to change this cookie name while creating a token. Unfortunately, you need to copy-paste "repeat" 2 things here - first, the AntiForgeryToken extension method to call your own AntiForgeryWorker, and then AntiForgeryWorker itself - just override the GetAntiForgeryTokenAndSetCookie method, this is the same as before:

  string antiForgeryTokenName = AntiForgeryData.GetAntiForgeryTokenName (httpContext.Request.ApplicationPath);

Well, that seems like a mess, and its definitely not a DRY solution, but if you really want it, you can do it in a few minutes. Just use a reflector and copy :)

0
source

More articles:


All Articles