Of Stack

ASP. NET Razor page in Core 2.0 disables anti counterfeiting token authentication

  • 2021-10-16 01:27:34
  • OfStack

In this short article, I'll show you how to disable security token authentication in the ASP. NET Core Razor page.

Razor page is a page controller framework added in ASP. NET Core 2.0, which is used to build dynamic and data-driven websites. Support for cross-platform development and can be deployed to Windows, Unix, and Mac operating systems.

Cross-site request spoofing (also known as XSRF or CSRF) is an attack on Web hosted applications because a malicious Web site can affect interaction between client browsers and browser-trusted Web sites. This attack is entirely possible because the Web browser automatically sends certain authentication tokens to the requesting Web site in every 1 request. This form of attack is also referred to as a 1-key attack or session control because the attack takes advantage of a previously authenticated session of the user. See my other blog on this topic: ASP. NET Core Preventing Cross-Site Request Forgery (XSRF/CSRF) Attacks.

The Razor page is designed to enable the cross-site request forgery attack by default, and the anti-forgery token generation and verification are automatically included in the Razor page. However, in some cases, you may want to disable it.

Global Disable

To disable security token authentication globally in the Razor page, disable it in the ConfigureServices method of the Startup class: 


public void ConfigureServices(IServiceCollection services)
 {
  services.AddMvc().AddRazorPagesOptions(o=>
  {
   o.Conventions.ConfigureFilter(new IgnoreAntiforgeryTokenAttribute());
  });
 }

This turns off security token authentication for the entire application. Note that disabling anti-counterfeiting token authentication does not prevent hidden fields or cookie from being generated. It just skips the validation process.

We know that the anti-counterfeiting token is generated by FormTagHelper. Fortunately, ASP. NET Core MVC provides a way to set the tag assistant globally: 


public void ConfigureServices(IServiceCollection services)
 {
  services.AddMvc().InitializeTagHelper<FormTagHelper>((helper, context) => helper.Antiforgery = false);
 }

Therefore, the complete code for globally disabling anti-counterfeiting token authentication is as follows: 


public void ConfigureServices(IServiceCollection services)
 {
  services.AddMvc().AddRazorPagesOptions(o=>
  {
   o.Conventions.ConfigureFilter(new IgnoreAntiforgeryTokenAttribute());
   
  }).InitializeTagHelper<FormTagHelper>((helper, context) => helper.Antiforgery = false);
 }

Partially disabled

If you want to disable validation only for specific methods or page models, there are two methods:

1. Configure in the ConfigureServices method of the Startup class, but provide the path of the page: 


public void ConfigureServices(IServiceCollection services)
  {
   services.AddMvc().AddRazorPagesOptions(opotions =>
   {
    opotions.Conventions.AddPageApplicationModelConvention("/demo",
     pageApplicationModel => pageApplicationModel.Filters.Add(new IgnoreAntiforgeryTokenAttribute()));
   });
  }

At this point, we disabled the security token authentication for the demo page.

2. Use tags on PageModel: 


[IgnoreAntiforgeryToken(Order = 1001)]
 public class DemoModel : PageModel
 {
  public void OnPost()
  {

  }
 }

The default Order attribute of the ValidateAntiForgeryToken tag is 1000, so the IgnoreAntiforgeryToken attribute requires a higher sequence number.

As we have said above, disabling anti-counterfeiting token authentication will not prevent the generation of hidden fields or cookie, so it is necessary to disable FormTagHelper to generate tokens. 


<form method="post" asp-antiforgery="false">
</form>

This topic has been introduced. If you are interested, don't worry about testing 1.

Related articles: