0

I saw many people had this problem for different reasons and until now I could not find any solution but remove the AntiForgeryToken.

My app is structured like this:

  • Login form (Allow cnnonymous, uses a single AntiForgeryToken)

  • Data manipulation page (Only authenticated users, several AntiForgeryTokens, one for each modal window and their <form> tags)

If I open the application and log in with the user A, I can insert information using the data manipulation page correctly. However, if I just go to this data manipulation page, log out of the current user (A), log in with the user B and go to the data manipulation page again, I receive the error "The provided anti-forgery token was meant for user 'PREVIOUS', but the current user is 'CURRENT'" when I click the submit button.

I'm using only the form button to submit, without AJAX. This application is running on ASP.Net MVC 4, using FormsAuthentication and using the following code to log out users:

HttpContext.Session.Clear();
FormsAuthentication.SignOut();

What do I have to do to fix it? It's been 6h and many things tried out, but no success.

PS: I did a previous search on StackOverflow and:

  • no, I'm not using Ajax to log in or to insert the data
  • I don't have more than one AntiForgeryToken on any form, but I do have pages with more than one form (each with their own AntiForgeryToken)
Mr Lister
  • 45,515
  • 15
  • 108
  • 150
juliano.net
  • 7,982
  • 13
  • 70
  • 164
  • How do you create your modal windows? – Legends Jun 24 '16 at 21:26
  • They are placed in a partial view rendered using `@Html.Partial("Partial/_DesenhosPrevistos", Model.DesenhosPrevistos)`, then I use JavaScript to show/hide them. – juliano.net Jun 25 '16 at 16:49
  • I think [this](http://stackoverflow.com/a/15615786/2581562) is your problem – Legends Jun 25 '16 at 22:26
  • I don't think so. This guy was creating a SPA (single page application), thus the need to make an async request to page with just the AntiForgeryToken to replace the value. I'm using Partials but they are added to the controller response content, without using any JavaScript. – juliano.net Jun 26 '16 at 02:23
  • Change of identity during form completion The validation code that runs against an AntiForgeryToken also checks your logged in user credentials haven’t changed – these are also encrypted in the cookie. This means that if you logged in or out in a popup or another browser tab, your form submission will fail with the following exception; System.Web.Mvc.HttpAntiForgeryException (0x80004005): The provided anti-forgery token was meant for user "", but the current user is xxx. `AntiForgeryConfig.SuppressIdentityHeuristicChecks = true;` Use with care. – Legends Jun 26 '16 at 09:02
  • Already did that in the global.asax file but the result is the same. I'm able to reproduce the problem using the same browser tab. It seems to be a cache problem because the error message says that the user that the token is meant for is the ID of the currently logged in user (it's not blank like in your comment and the answer you suggested). – juliano.net Jun 26 '16 at 11:28
  • Ofcourse it's a suggestion, I cannot see your code, but if you create a POC, where the problem is reproducable I will take a look... – Legends Jun 26 '16 at 14:04
  • 1
    I double checked the code and the Network tab of Chrome Developer Tools and found that there was a script that was overwriting the click event. This code was loading the modal window using Ajax, so I added a time parameter to the querystring and now the caching problem has been solved. Thank you @Legends – juliano.net Jun 27 '16 at 13:52

0 Answers0