I am working on a logout feature in the application we are using ASP.NET Identity login. I can login successfully but when I logout and then try to login again I get the following message:
The provided anti-forgery token was meant for a different claims-based user than the current user.
Here is my logout code:
public ActionResult Logout() { SignInManager.Logout(); return View("Index"); } **SignInManager.cs** public void Logout() { AuthenticationManager.SignOut(); }
After the user press the logout button he is taken to the login screen. The url still says "http://localhost:8544/Login/Logout". Since we are on the login screen maybe it should just say "http://localhost:8544/Login".
The purpose of using anti-forgery tokens is to prevent cross-site request forgery (CSRF) attacks. It does this by submitting two different values to the server on any given POST, both of which must exist in order for the server to allow the request.
To prevent CSRF attacks, use anti-forgery tokens with any authentication protocol where the browser silently sends credentials after the user logs in. This includes cookie-based authentication protocols, such as forms authentication, as well as protocols such as Basic and Digest authentication.
AntiForgeryToken(String) To specify custom data to be embedded within the token, use the static AntiForgeryConfig. AdditionalDataProvider property. Generates a hidden form field (anti-forgery token) that is validated when the form is submitted. The field value is generated using the specified salt value.
What worked for me was switching the order of the middlewares used. Add first app.UseAuthentication()
and then the antiforgery stuff. This is how I did it:
app.UseAuthentication(); app.Use(next => ctx => { var tokens = antiforgery.GetAndStoreTokens(ctx); ctx.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { HttpOnly = false }); return next(ctx); });
Doing it the other way around creates a token that is not meant for authenticated users.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With