I'm thinking about changing name of the default antiforgery cookie in ASP.NET Core.
The reason why I would like to change the cookie name is to anonymize the cookie, in my opinion there is no reason why end users should be able to determine the responsibility of this cookie.
You can set a different name in your
Startup.ConfigureServices as in:
services.AddAntiforgery(opts => opts.CookieName = "MyAntiforgeryCookie");
AddMvc() internally calls
AddAntiforgery(), which means you get the default cookie, header and form names. If you need to/want to use different names, you can do so by manually calling AddAntiforgery as above.
There should be no implications for your application if you change the cookie name (unless you added code yourself that manually used that cookie). You might also want to change the header/form name, for example the offical Antiforgery repo has an example that uses Angular and changes the header as the standard angular XSRF token header.
In order to use it, add the
[ValidateAntiForgeryToken] to controller actions other than GET requests.
You have to do nothing else for standard html forms as long as you use the asp form tag helpers, see this question.
If you use ajax requests, then you will need to include either a header or a field within your request that includes the generated token. You basically need to:
var tokenSet = antiforgery.GetAndStoreTokens(httpContext);
tokenSet.RequestTokento be included as either a field with name
tokenSet.FormFieldNameor a header with name
tokenSet.HeaderNamewithin each ajax request. (rendering the token into a JS object inside a script section in your js layout, add a JS readable cookie as in the angular example, keep rendering hidden fields you include within the ajax request, ...)
The aim is for POST/PUT/DELETE/PATCH requests to include 2 things:
So the antiforgery middleware can validate there was no XSRF.