Disable authentication of anti fake token on razor page in asp.net core 2.0

Time:2020-2-19

In this short article, I’ll show you how to disable anti-counterfeiting token validation in the asp.net core razor page.

Razor page is a page controller framework added in asp.net core 2.0, which is used to build dynamic and data-driven websites. It supports cross platform development and can be deployed to windows, UNIX and Mac operating systems.

Cross Site Request Forgery (also known as xsrf or CSRF) is an attack on web hosted applications because malicious websites can affect the interaction between client browsers and browser trusted websites. This attack is entirely possible because web browsers automatically send certain authentication tokens to the requesting website in each request. This form of attack is also known as one click attack or session control, because the attack exploits the session previously authenticated by the user. See my other blog about this topic: asp.net core prevents cross Site Request Forgery (xsrf / CSRF) attacks.

The razor page is designed to start anti Cross Site Request Forgery Attack by default, and anti forgery token generation and verification are automatically included in the razor page. However, in some cases, you may want to disable it.

Global disable

To globally disable anti-counterfeiting token validation in the razor page, you can disable it in the configureservices method of the startup class:


public void ConfigureServices(IServiceCollection services)
 {
  services.AddMvc().AddRazorPagesOptions(o=>
  {
   o.Conventions.ConfigureFilter(new IgnoreAntiforgeryTokenAttribute());
  });
 }

This will turn off anti-counterfeiting token validation for the entire application. Note that disabling anti-counterfeiting token validation does not prevent the generation of hidden fields or cookies. It just skips the validation process.

We know that the anti-counterfeiting token is generated by formtaghelper. Fortunately, asp.net core MVC provides a way to set the tag assistant globally:


public void ConfigureServices(IServiceCollection services)
 {
  services.AddMvc().InitializeTagHelper<FormTagHelper>((helper, context) => helper.Antiforgery = false);
 }

Therefore, the complete code of global disable anti-counterfeiting token verification is as follows:


public void ConfigureServices(IServiceCollection services)
 {
  services.AddMvc().AddRazorPagesOptions(o=>
  {
   o.Conventions.ConfigureFilter(new IgnoreAntiforgeryTokenAttribute());
   
  }).InitializeTagHelper<FormTagHelper>((helper, context) => helper.Antiforgery = false);
 }

Partial disable

If you want to disable validation for a specific method or page model only, there are two methods:

1. Configure in the configureservices method of the startup class, but provide the path of the page:


public void ConfigureServices(IServiceCollection services)
  {
   services.AddMvc().AddRazorPagesOptions(opotions =>
   {
    opotions.Conventions.AddPageApplicationModelConvention("/demo",
     pageApplicationModel => pageApplicationModel.Filters.Add(new IgnoreAntiforgeryTokenAttribute()));
   });
  }

Here, we disable the authentication of anti-counterfeiting token for demo page.

2. Use the tag above the pagemodel:


[IgnoreAntiforgeryToken(Order = 1001)]
 public class DemoModel : PageModel
 {
  public void OnPost()
  {

  }
 }

The validateantiforgerytoken tag has a default order attribute of 1000, so the ignorentiforgerytoken attribute requires a higher sequence number.

As we have said above, disabling anti-counterfeiting token validation does not prevent the generation of hidden fields or cookies, so formtaghelper needs to be disabled to generate tokens.


<form method="post" asp-antiforgery="false">
</form>

This topic is finished. If you are interested, please test it.