I have 2 websites, actually they are the same. The purpose is in that one of them is for internet users and the second one is for local use.
Now they are hosted on the same IIS server on my localhost machine.
When I open this two websites and trying to get action result which is marked with [ValidateAntiForgeryToken] I have an issue that in my cookies i have cookies for my localhost site and there is a cookie with name “RequestVerificationToken_Lw” which is anti-forgery protection key.
And the problem is in that both sites are using the same cookie to store this key. And so if did smth on one web site I get anti-forgery error when I’m trying to do smth on the other.
How can I change cookie domain or any other solutions to split cookies?
Thank You!
Well, lets see what the ValidateAntiforgeryTokenAttribute does (Reflector/ILSpy is your friend) :
public void OnAuthorization(AuthorizationContext filterContext) { if (filterContext == null) { throw new ArgumentNullException("filterContext"); } string antiForgeryTokenName = AntiForgeryData.GetAntiForgeryTokenName(null); string antiForgeryTokenName2 = AntiForgeryData.GetAntiForgeryTokenName(filterContext.HttpContext.Request.ApplicationPath); HttpCookie httpCookie = filterContext.HttpContext.Request.Cookies[antiForgeryTokenName2]; if (httpCookie == null || string.IsNullOrEmpty(httpCookie.Value)) { throw ValidateAntiForgeryTokenAttribute.CreateValidationException(); } AntiForgeryData antiForgeryData = this.Serializer.Deserialize(httpCookie.Value); string text = filterContext.HttpContext.Request.Form[antiForgeryTokenName]; if (string.IsNullOrEmpty(text)) { throw ValidateAntiForgeryTokenAttribute.CreateValidationException(); } AntiForgeryData antiForgeryData2 = this.Serializer.Deserialize(text); if (!string.Equals(antiForgeryData.Value, antiForgeryData2.Value, StringComparison.Ordinal)) { throw ValidateAntiForgeryTokenAttribute.CreateValidationException(); } string username = AntiForgeryData.GetUsername(filterContext.HttpContext.User); if (!string.Equals(antiForgeryData2.Username, username, StringComparison.OrdinalIgnoreCase)) { throw ValidateAntiForgeryTokenAttribute.CreateValidationException(); } if (!this.ValidateFormToken(antiForgeryData2)) { throw ValidateAntiForgeryTokenAttribute.CreateValidationException(); } }Okay, it is obvious, that the cookie name for the token is made from application path:
string antiForgeryTokenName2 = AntiForgeryData.GetAntiForgeryTokenName(filterContext.HttpContext.Request.ApplicationPath); HttpCookie httpCookie = filterContext.HttpContext.Request.Cookies[antiForgeryTokenName2];So, you create your own filter, just copy-paste this code, and change that to respect also port (or whatever by what you distinguish your applications):
string antiForgeryTokenName2 = AntiForgeryData.GetAntiForgeryTokenName(filterContext.HttpContext.Request.ApplicationPath + filterContext.HttpContext.Request.Url.Port); HttpCookie httpCookie = filterContext.HttpContext.Request.Cookies[antiForgeryTokenName2];This way the cookie name (“RequestVerificationToken_Lw”) will vary by port too.
And of course we cant forget to change this cookie name while creating the token too. Unfortunately, you will need to copy-paste “re-implement” 2 things here – first the AntiForgeryToken extension method to call your own AntiForgeryWorker, and then the AntiForgeryWorker itself – just override the method GetAntiForgeryTokenAndSetCookie, it is the same stuff as before :
Well, it seems a mess, and its definitely not a DRY solution, but if you really really want this, you can have it done in few minutes. Just use reflector and copy-paste 🙂