12

The provided anti-forgery token was meant for user "", but the current user is "xxxx ".

I have followed every single solution possible to get rid of this error without any success:

Here is the scenario: I have 2 separate log in tabs open in my browser tab A Tab B: 1. I login to my site in Tab A 2. Then try to log in Tab B

The above error then occurs

My C# web MVC login view has:

v class="col-md-4 col-md-offset-4">
                <form class="form-signin" role="form" action=@Url.Action("Login", "Account") method="POST" id="signInForm">
                     @Html.AntiForgeryToken()
                    <div class="form-group">
                        <label for="loginEmail">Email</label>
                        <input  type="text" id="loginEmail" name="loginEmail" class="form-control" placeholder="Email address" >
                    </div>
                    <div class="form-group">
                        <label for="loginPassword">Password</label>
                        <input id="loginPassword" type="password"  name="loginPassword" class="form-control" placeholder="Password" >
                    </div>
                    <button class="btn btn-lg btn-primary btn-block main-btn" type="submit">Sign in</button>
                    <div>
                        <br>
                        <a href="@Url.Action("Index","GettingStarted")">Register</a><br>
                        <a href="@Url.Action("ForgotPassword","Account")">Forgot your password?</a>
                    </div>
                </form>

And my accounts controller like this:

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model)
{

    if (ModelState.IsValid)
    {

How can I fix this error?

user1526912
  • 15,818
  • 14
  • 57
  • 92
  • It's not- at least not in my window (refreshed as well) – Nyra Nov 17 '14 at 18:11
  • 1
    When would this ever be an issue in a real world scenario anyways (meaning how does one end up trying to login twice from two tabs to the same site)? Once you log in on Tab A, you are logged in on Tab B, just refresh the page... – Tommy Nov 18 '14 at 04:16
  • Does this answer your question? [A way of properly handling HttpAntiForgeryException in MVC 4 application](https://stackoverflow.com/questions/12967917/a-way-of-properly-handling-httpantiforgeryexception-in-mvc-4-application) – MikeTeeVee Aug 06 '21 at 18:39

1 Answers1

22

This happens because the two browser tabs share the same cookie store. Authenticating with the first tab sets a new cookie that identifies your username. When the second tab is submitted it will pass the updated cookie retrieved from the successful authentication in the first tab, along with the hidden form field that was loaded before authentication that identifies you as an anonymous user. Because the usernames in the cookie and the hidden form field don't match the validation fails.

The AntiForgeryWorker that ValidateAntiForgeryTokenAttribute uses encodes the authenticated username into both the cookie and the hidden form field and ensures they both match when validating. As such whenever you authenticate, or change users this validation will fail, if posting to an action with the ValidateAntiForgeryTokenAttribute.

Unfortunately this means your options are limited to not protecting the login action with ValidateAntiForgeryTokenAttribute, Ignoring the scenario that you describe and letting validation fail, or reimplementing the AntiForgery implementation in MVC such that is does not include the username in the validation procedure.

Sam Greenhalgh
  • 5,952
  • 21
  • 37
  • http://stackoverflow.com/questions/14970102/anti-forgery-token-is-meant-for-user-but-the-current-user-is-username lists some options you have. – Lukas Jan 19 '16 at 15:59
  • This is the first decent answer i've found on SO regarding this subject. nice work! – Timothy Groote Jun 16 '16 at 06:58