diff --git a/src/Microsoft.AspNet.Antiforgery/AntiforgeryOptions.cs b/src/Microsoft.AspNet.Antiforgery/AntiforgeryOptions.cs
index 2308e36699..49656dd068 100644
--- a/src/Microsoft.AspNet.Antiforgery/AntiforgeryOptions.cs
+++ b/src/Microsoft.AspNet.Antiforgery/AntiforgeryOptions.cs
@@ -11,10 +11,9 @@ namespace Microsoft.AspNet.Antiforgery
public class AntiforgeryOptions
{
private const string AntiforgeryTokenFieldName = "__RequestVerificationToken";
- private const string AntiforgertyTokenHeaderName = "RequestVerificationToken";
+ private const string AntiforgeryTokenHeaderName = "RequestVerificationToken";
private string _cookieName;
- private string _headerName = AntiforgertyTokenHeaderName;
private string _formFieldName = AntiforgeryTokenFieldName;
///
@@ -64,11 +63,7 @@ namespace Microsoft.AspNet.Antiforgery
/// Specifies the name of the header value that is used by the antiforgery system. If null then
/// antiforgery validation will only consider form data.
///
- public string HeaderName
- {
- get { return _headerName; }
- set { _headerName = value; }
- }
+ public string HeaderName { get; set; } = AntiforgeryTokenHeaderName;
///
/// Specifies whether SSL is required for the antiforgery system
diff --git a/src/Microsoft.AspNet.Antiforgery/DefaultAntiforgeryTokenGenerator.cs b/src/Microsoft.AspNet.Antiforgery/DefaultAntiforgeryTokenGenerator.cs
index 32a2581f71..8cd2160238 100644
--- a/src/Microsoft.AspNet.Antiforgery/DefaultAntiforgeryTokenGenerator.cs
+++ b/src/Microsoft.AspNet.Antiforgery/DefaultAntiforgeryTokenGenerator.cs
@@ -123,7 +123,7 @@ namespace Microsoft.AspNet.Antiforgery
}
// Are the security tokens embedded in each incoming token identical?
- if (!Equals(cookieToken.SecurityToken, requestToken.SecurityToken))
+ if (!object.Equals(cookieToken.SecurityToken, requestToken.SecurityToken))
{
throw new InvalidOperationException(Resources.AntiforgeryToken_SecurityTokenMismatch);
}
@@ -144,15 +144,14 @@ namespace Microsoft.AspNet.Antiforgery
// OpenID and other similar authentication schemes use URIs for the username.
// These should be treated as case-sensitive.
- var useCaseSensitiveUsernameComparison =
- currentUsername.StartsWith("http://", StringComparison.OrdinalIgnoreCase) ||
- currentUsername.StartsWith("https://", StringComparison.OrdinalIgnoreCase);
+ var comparer = StringComparer.OrdinalIgnoreCase;
+ if (currentUsername.StartsWith("http://", StringComparison.OrdinalIgnoreCase) ||
+ currentUsername.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
+ {
+ comparer = StringComparer.Ordinal;
+ }
- if (!string.Equals(requestToken.Username,
- currentUsername,
- (useCaseSensitiveUsernameComparison) ?
- StringComparison.Ordinal :
- StringComparison.OrdinalIgnoreCase))
+ if (!comparer.Equals(requestToken.Username, currentUsername))
{
throw new InvalidOperationException(
Resources.FormatAntiforgeryToken_UsernameMismatch(requestToken.Username, currentUsername));