How can I fix anti-forgery token was meant for user "", but the current user is "xxxx " error

Question

The provided anti-forgery token was meant for user "", but the current user is "xxxx ".

I have followed every single solution possible to get rid of this error without any success:

Here is the scenario: I have 2 separate log in tabs open in my browser tab A Tab B: 1. I login to my site in Tab A 2. Then try to log in Tab B

The above error then occurs

My C# web MVC login view has:

v class="col-md-4 col-md-offset-4">
                <form class="form-signin" role="form" [email protected]("Login", "Account") method="POST" id="signInForm">
                     @Html.AntiForgeryToken()
                    <div class="form-group">
                        <label for="loginEmail">Email</label>
                        <input  type="text" id="loginEmail" name="loginEmail" class="form-control" placeholder="Email address" >
                    </div>
                    <div class="form-group">
                        <label for="loginPassword">Password</label>
                        <input id="loginPassword" type="password"  name="loginPassword" class="form-control" placeholder="Password" >
                    </div>
                    <button class="btn btn-lg btn-primary btn-block main-btn" type="submit">Sign in</button>
                    <div>
                        <br>
                        <a href="@Url.Action("Index","GettingStarted")">Register</a><br>
                        <a href="@Url.Action("ForgotPassword","Account")">Forgot your password?</a>
                    </div>
                </form>

And my accounts controller like this:

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model)
{

    if (ModelState.IsValid)
    {

How can I fix this error?

Answer 1

This happens because the two browser tabs share the same cookie store. Authenticating with the first tab sets a new cookie that identifies your username. When the second tab is submitted it will pass the updated cookie retrieved from the successful authentication in the first tab, along with the hidden form field that was loaded before authentication that identifies you as an anonymous user. Because the usernames in the cookie and the hidden form field don't match the validation fails.

The AntiForgeryWorker that ValidateAntiForgeryTokenAttribute uses encodes the authenticated username into both the cookie and the hidden form field and ensures they both match when validating. As such whenever you authenticate, or change users this validation will fail, if posting to an action with the ValidateAntiForgeryTokenAttribute.

Unfortunately this means your options are limited to not protecting the login action with ValidateAntiForgeryTokenAttribute, Ignoring the scenario that you describe and letting validation fail, or reimplementing the AntiForgery implementation in MVC such that is does not include the username in the validation procedure.