Changing Cookie Names - ASP.NET Security

Overview

ASP.NET security can use cookies. One part of securing your ASP.NET site is to change the names of these cookies so as to obscure the technology underlying your website. This article explains how.

Procedure

Forms Authentication (Legacy)

Change or add the following setting in your web.config file: //configuration/system.web/authentication/forms/@name

<configuration>
  <system.web>
    <authentication mode="Forms">
      <forms loginUrl="~/Account/Login" defaultUrl="~" name="tokenA"  />
. . .

Forms Authentication

Change or add the following setting in your web.config file: //configuration/system.web/sessionState/@cookieName

<configuration>
  <system.web>
    <sessionState cookieName="tokenA" />
. . .

ASP.NET Identity

Add a line to within Startup.Auth.cs

public partial class Startup
{
	public void ConfigureAuth(IAppBuilder app)
	{
		app.UseCookieAuthentication(new CookieAuthenticationOptions
		{
			AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
			LoginPath = new PathString("/Account/Login"),

			/* Add the following line */
			CookieName = "tokenB" 

		});

		. . .
	}
}

Cross-Site Request Forgery

Add a line within your Global.asax.cs file.

public class MvcApplication : System.Web.HttpApplication
{
	protected void Application_Start()
	{
		System.Web.Helpers.AntiForgeryConfig.CookieName = "tokenC";
 . . .