We have an app written in ASP.NET MVC 3, that uses @Html.AntiForgeryToken() . We

Question

0

Asked: June 12, 20262026-06-12T17:33:28+00:00 2026-06-12T17:33:28+00:00

We have an app written in ASP.NET MVC 3, that uses @Html.AntiForgeryToken() . We

0

We have an app written in ASP.NET MVC 3, that uses @Html.AntiForgeryToken().

We want to validate the token in our custom attribute (without a need of specifying the default attribute [ValidateAntiForgeryToken]). This should be pretty straightforward, but I’ve found an interesting inconsistency.

All the code below is running within the following method:

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)]
public class ValidateJsonAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter
{  
    public void OnAuthorization(AuthorizationContext filterContext)
    {
    ...

AntiForgeryConfig.CookieName value is __RequestVerificationToken. That seems to make sense.
filterContext.HttpContext.Request.Cookies contains 1 cookie – but its name is __RequestVerificationToken_Lw__.

Question: aren’t those two supposed to be the same so I can use following snippet to get the cookie?

var cookie = filterContext.HttpContext.Request.Cookies[AntiForgeryConfig.CookieName];

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-12T17:33:29+00:00

Editorial Team

2026-06-12T17:33:29+00:00Added an answer on June 12, 2026 at 5:33 pm

The default cookie name changed between MVC 3 and MVC 4. In MVC 3, the default cookie name contains “Lw” and extra underscores near the end. Can you confirm that the cookie is being generated by an MVC 4 application instead of an MVC 3 application?

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

We have an app written in ASP.NET MVC 3, that uses @Html.AntiForgeryToken() . We

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply