Disable anti-counterfeit token verification on the Razor page in ASP. NET Core 2.0, corerazor
In this short article, I will show you how to disable anti-counterfeit token verification on the ASP. NET Core Razor page.
The Razor page is ASP. A page controller framework added in NET Core 2.0 to build dynamic, data-driven websites. It supports cross-platform development and can be deployed to Windows, Unix, and Mac operating systems.
Cross-Site Request Forgery (XSRF or CSRF) is an attack on Web Hosting applications, because malicious websites may affect interaction between Client browsers and websites trusted by browsers. This attack is completely possible because the Web browser automatically sends some authentication tokens to the requesting website in each request. This form of attack is also known as a one-click attack or session control, because the attack uses sessions previously authenticated by the user. For this topic, see my other blog: ASP. NET Core prevents cross-site Request Forgery (XSRF/CSRF) attacks.
The Razor page is designed to enable anti-Cross-Site Request Forgery by default. The anti-counterfeit Token Generation and verification are automatically included in the Razor page. However, in some cases, you may want to disable it.
Globally disabled
To globally disable anti-counterfeit token verification on the Razor page, you can disable it in the ConfigureServices method of the Startup class:
public void ConfigureServices(IServiceCollection services) { services.AddMvc().AddRazorPagesOptions(o=> { o.Conventions.ConfigureFilter(new IgnoreAntiforgeryTokenAttribute()); }); }
This will disable anti-counterfeit token verification for the entire application. Please note that disabling anti-counterfeit token verification does not prevent generating hidden fields or cookies. It only skips the verification process.
We know that the anti-counterfeit token is generated through FormTagHelper. Fortunately, ASP. NET Core MVC provides a way to set the tag assistant globally:
public void ConfigureServices(IServiceCollection services) { services.AddMvc().InitializeTagHelper<FormTagHelper>((helper, context) => helper.Antiforgery = false); }
The complete code for globally disabling anti-counterfeit token verification is as follows:
public void ConfigureServices(IServiceCollection services) { services.AddMvc().AddRazorPagesOptions(o=> { o.Conventions.ConfigureFilter(new IgnoreAntiforgeryTokenAttribute()); }).InitializeTagHelper<FormTagHelper>((helper, context) => helper.Antiforgery = false); }
Partially disabled
If you want to disable verification for a specific method or page model, you can use either of the following methods:
1. Configure the ConfigureServices method of the Startup class, but provide the page path:
public void ConfigureServices(IServiceCollection services) { services.AddMvc().AddRazorPagesOptions(opotions => { opotions.Conventions.AddPageApplicationModelConvention("/demo", pageApplicationModel => pageApplicationModel.Filters.Add(new IgnoreAntiforgeryTokenAttribute())); }); }
Here, anti-counterfeit token verification on the demo page is disabled.
2. Use tags on PageModel:
[IgnoreAntiforgeryToken(Order = 1001)] public class DemoModel : PageModel { public void OnPost() { } }
ValidateAntiForgeryToken indicates that the default Order attribute is 1000. Therefore, the IgnoreAntiforgeryToken attribute requires a higher sequence number.
As we have mentioned above, disabling anti-counterfeit token verification will not prevent the generation of hidden fields or cookies, so we need to disable FormTagHelper to generate tokens.
<form method="post" asp-antiforgery="false"></form>
This topic has been introduced. If you are interested, do not test it.