Menu
The provided anti-forgery token was meant for user "", but the current user is "xxxx ".
I have followed every single solution possible to get rid of this error without any success:
Here is the scenario: I have 2 separate log in tabs open in my browser tab A Tab B: 1. I login to my site in Tab A 2. Then try to log in Tab B
The above error then occurs
My C# web MVC login view has:
v class="col-md-4 col-md-offset-4">
<form class="form-signin" role="form" [email protected]("Login", "Account") method="POST" id="signInForm">
@Html.AntiForgeryToken()
<div class="form-group">
<label for="loginEmail">Email</label>
<input type="text" id="loginEmail" name="loginEmail" class="form-control" placeholder="Email address" >
</div>
<div class="form-group">
<label for="loginPassword">Password</label>
<input id="loginPassword" type="password" name="loginPassword" class="form-control" placeholder="Password" >
</div>
<button class="btn btn-lg btn-primary btn-block main-btn" type="submit">Sign in</button>
<div>
<br>
<a href="@Url.Action("Index","GettingStarted")">Register</a><br>
<a href="@Url.Action("ForgotPassword","Account")">Forgot your password?</a>
</div>
</form>
And my accounts controller like this:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model)
{
if (ModelState.IsValid)
{
How can I fix this error?
764
Anti-forgery token validation is enabled by default in Razor Pages. You can disable validation either globally or on individual pages by using [IgnoreAntiforgeryToken] . You can prevent forms from creating anti-forgery tokens by using asp-antiforgery="false" in the form tag helper.
ASP.NET Core uses a hidden field to store the anti-forgery token and uses the ValidateAntiForgeryToken attribute to validate the token. As the token is sent to the browser in a hidden field, it is also stored in an HttpOnly cookie.
This happens because the two browser tabs share the same cookie store. Authenticating with the first tab sets a new cookie that identifies your username. When the second tab is submitted it will pass the updated cookie retrieved from the successful authentication in the first tab, along with the hidden form field that was loaded before authentication that identifies you as an anonymous user. Because the usernames in the cookie and the hidden form field don't match the validation fails.
The AntiForgeryWorker that ValidateAntiForgeryTokenAttribute uses encodes the authenticated username into both the cookie and the hidden form field and ensures they both match when validating. As such whenever you authenticate, or change users this validation will fail, if posting to an action with the ValidateAntiForgeryTokenAttribute.
Unfortunately this means your options are limited to not protecting the login action with ValidateAntiForgeryTokenAttribute, Ignoring the scenario that you describe and letting validation fail, or reimplementing the AntiForgery implementation in MVC such that is does not include the username in the validation procedure.
142
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
