Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Anti-Forgery Token was meant for a different claims-based user

Tags:

asp.net

asp.net-mvc

I am working on a logout feature in the application we are using ASP.NET Identity login. I can login successfully but when I logout and then try to login again I get the following message: 

The provided anti-forgery token was meant for a different claims-based user than the current user.

Here is my logout code: 

 public ActionResult Logout()         {             SignInManager.Logout();             return View("Index");          }  **SignInManager.cs**  public void Logout()         {             AuthenticationManager.SignOut();          }

After the user press the logout button he is taken to the login screen. The url still says "http://localhost:8544/Login/Logout". Since we are on the login screen maybe it should just say "http://localhost:8544/Login".

like image 805
john doe Avatar asked Mar 25 '16 16:03

john doe

People also ask

What is the purpose of anti-forgery token?

The purpose of using anti-forgery tokens is to prevent cross-site request forgery (CSRF) attacks. It does this by submitting two different values to the server on any given POST, both of which must exist in order for the server to allow the request.

When should I use anti-forgery token?

To prevent CSRF attacks, use anti-forgery tokens with any authentication protocol where the browser silently sends credentials after the user logs in. This includes cookie-based authentication protocols, such as forms authentication, as well as protocols such as Basic and Digest authentication.

How are anti-forgery tokens generated?

AntiForgeryToken(String) To specify custom data to be embedded within the token, use the static AntiForgeryConfig. AdditionalDataProvider property. Generates a hidden form field (anti-forgery token) that is validated when the form is submitted. The field value is generated using the specified salt value.

1 Answers

What worked for me was switching the order of the middlewares used. Add first app.UseAuthentication() and then the antiforgery stuff. This is how I did it: 

app.UseAuthentication(); app.Use(next => ctx =>         {             var tokens = antiforgery.GetAndStoreTokens(ctx);              ctx.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken,                 new CookieOptions() { HttpOnly = false });              return next(ctx); });

Doing it the other way around creates a token that is not meant for authenticated users.

like image 193
Arturo Moreno Avatar answered Sep 28 '22 10:09

Arturo Moreno
Sign in to Comment

Related questions

Should I use byte or int?
How to pass multiple values through command argument in Asp.net?
Request.Files in ASP.NET CORE
How to get base URL of an MVC application using javascript
Automatically stop/restart ASP.NET Development Server on Build
ASP.NET - AppDomain.CurrentDomain.GetAssemblies() - Assemblies missing after AppDomain restart
System.Web.Helpers.Crypto - Where's the salt?
How to work with time zones in ASP.NET?
The model item is of type CookMeIndexViewModel, but requires a model item of type IEnumerable<CookMeIndexViewModel>
Best way to abort/cancel action and response from ActionFilter
Updating to ASP.NET Core 2.0 - Packages are not compatible with netcoreapp2.0
GZIP in .net core not working
Is there an equivalent to Heroku for the ASP.NET platform? [closed]
Change visibility of ASP.NET label with JavaScript
How to call a client side javascript function after a specific UpdatePanel has been loaded
How to read system value from web.config and use in ASP.NET MVC C# method
Adding meta tag programmatically in C#
Could not get dependencies for project reference
Custom app_offline.htm file during publish
System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL http::8080

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!