Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to resolve: The provided anti-forgery token was meant for a different claims-based user than the current user

Tags:

c#

asp.net-mvc

I am getting this error:

The provided anti-forgery token was meant for a different claims-based user than the current user.

and I am not sure how to correct this..

I have a MVC5 site and in this site I have a login page.

This is the scenario that it occurs on.

  1. User AAA logs in. (No issues)
  2. I attempt to access a view where the user does not have access.
    • I have the class decorated with an Authorize(Roles="aa")
  3. The view then logs the user off and puts them back to the login page.
  4. User AAA logs in. (This time I get the error mentioned above)

To note:
I am using customErrors and this is where I see the error message.

When I log the user out I am running this method:

[HttpGet]
public void SignOut()
{
    IAuthenticationManager authenticationManager = HttpContext.GetOwinContext().Authentication;
    authenticationManager.SignOut(MyAuthentication.ApplicationCookie);
}

Could I possibly be missing something on the SignOut?

UPDATE:
This only occurs because of step #2 listed above.
If I log in, then log out (calling same code) then log back in, then I do not have this issue.

like image 588
John Doe Avatar asked Jan 03 '17 14:01

John Doe

1 Answers

I think you've neglected to post some relevant code. The Signout action you have returns void. If you were to access this action directly in the browser, then the user would get a blank page after being signed out with no way to progress forward. As a result, I can only assume you are either calling it via AJAX or calling as a method from another action.

The way anti-forgery works in MVC is that a cookie is set on the user's machine containing a unique generated token. If the user is logged in, their username is used to compose that token. In order for a new cookie, without a username to be set, the user must be logged out and a new request must occur to set the new cookie. If you merely log the user out without doing a redirect or something, the new user-less cookie will not have been set yet. Then, when the user posts, the old user-based cookie is sent back while MVC is looking for the new user-less cookie, and boom: there's your exception.

Like I said, you haven't posted enough code to determine exactly why or where this is occurring, but simply, make sure there is a new request made after logging the user out, so the new cookie can be set.

like image 119
Chris Pratt Avatar answered Oct 26 '22 23:10

Chris Pratt
Sign in to Comment

Related questions

Run a bunch async tasks when a certain execution order needs to be preserved
How to rollback a transaction using dapper
Connect to Microsoft Exchange PowerShell within C#
Should a class with only static methods be static? [closed]
Event handler and null-conditional operator [duplicate]
MongoDB C# Why can't you use DateTime.Date with IQueryable?
Automapper: Checking for null in MapFrom
Visual Studio - inserting multi-line expressions into Watch Window while debugging
How to run only one job concurrently?
QueueingBasicConsumer is deprecated. Which consumer is better to implement RabbitMq .net client
Linq to Entities Remove without fetching
FluentAssertions - how make ShouldBeEquivalentTo compare empty and null as equal
Except with LIKE condition in LINQ
Getting connected components from a QuickGraph graph
Unit Test Sessions failed to execute
How to use C# LINQ Union to get the Union of Custom list1 with list2
Exception for calling ToList() after conversion from uint[] to int[] in C#
Get relative Path of a file C#
Format decimal number with digit grouping and limit the number of digits
C# equivalent of Java 8 Default Methods in Interface

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!