Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Anti forgery token is meant for user "" but the current user is "username"

People also ask

What is the purpose of anti-forgery token?

The purpose of using anti-forgery tokens is to prevent cross-site request forgery (CSRF) attacks. It does this by submitting two different values to the server on any given POST, both of which must exist in order for the server to allow the request.

When should I use anti-forgery token?

To prevent CSRF attacks, use anti-forgery tokens with any authentication protocol where the browser silently sends credentials after the user logs in. This includes cookie-based authentication protocols, such as forms authentication, as well as protocols such as Basic and Digest authentication.

How do you validate anti-forgery tokens?

The feature doesn't prevent any other type of data forgery or tampering based attacks. To use it, decorate the action method or controller with the ValidateAntiForgeryToken attribute and place a call to @Html. AntiForgeryToken() in the forms posting to the method.

What is http anti-forgery exception?

Anti-forgery token is used to prevent CSRF (Cross-Site Request Forgery) attacks. Here is how it works in high-level: IIS server associates this token with current user's identity before sending it to the client. In the next client request, the server expects to see this token.


This is happening because the anti-forgery token embeds the username of the user as part of the encrypted token for better validation. When you first call the @Html.AntiForgeryToken() the user is not logged in so the token will have an empty string for the username, after the user logs in, if you do not replace the anti-forgery token it will not pass validation because the initial token was for anonymous user and now we have an authenticated user with a known username.

You have a few options to solve this problem:

  1. Just this time let your SPA do a full POST and when the page reloads it will have an anti-forgery token with the updated username embedded.

  2. Have a partial view with just @Html.AntiForgeryToken() and right after logging in, do another AJAX request and replace your existing anti-forgery token with the response of the request.

Note that setting AntiForgeryConfig.SuppressIdentityHeuristicChecks = true does not disable username validation, it simply changes how that validation works. See the ASP.NET MVC docs, the source code where that property is read, and the source code where the username in the token is validated regardless of the value of that config.


To fix the error you need to place the OutputCache Data Annotation on the Get ActionResult of Login page as:

[OutputCache(NoStore=true, Duration = 0, VaryByParam= "None")] 
public ActionResult Login(string returnUrl)

It happens a lot of times with my application, so I decided to google for it!

I found a simple explanation about this error! The user are double-clicking the button for login! You can see another user talking about that on the link below:

MVC 4 provided anti-forgery token was meant for user "" but the current user is "user"

I hope it helps! =)


The message appears when you login when you are already authenticated.

This Helper does exactly the same thing as [ValidateAntiForgeryToken] attribute.

System.Web.Helpers.AntiForgery.Validate()

Remove the [ValidateAntiForgeryToken] attribut from controller and place this helper in action methode.

So when user is already authentificated, redirect to the home page or if not continue with the verification of the valid anti-forgery token after this verification.

if (User.Identity.IsAuthenticated)
{
    return RedirectToAction("Index", "Home");
}

System.Web.Helpers.AntiForgery.Validate();

To try to reproduce the error, proceed as follows: If you are on your login page and you are not authenticated. If you duplicate the tab and you login with the second tab. And if you come back to the first tab on the login page and you try to log in without reloading the page ... you have this error.


I had the same problem, and this dirty hack got it fixed, at least until I can fix it in a cleaner way.

    public ActionResult Login(string returnUrl)
    {
        if (AuthenticationManager.User.Identity.IsAuthenticated)
        {
            AuthenticationManager.SignOut();
            return RedirectToAction("Login");
        }

...


I have the same exception occurring most of the time on the production server.

Why does it happen?

It happens when user login with valid credentials and once logged in and redirect to another page, and after they press the back button will show login page and again he entered valid credentials that time this exception will occur.

How to solve?

Just add this line and work perfect, no get an error.

[OutputCache(NoStore = true, Duration = 0, VaryByParam = "None")]