Geek Answers Handbook

How can I fix the anti-fake token intended for the user ", but the current user is a" xxxx "error

The anti-fake token provided is intended for the user ", but the current user is" xxxx ".

I followed every possible solution to get rid of this error without any success:

Here is the scenario: I have two separate tabs to enter my browser. Tab B: 1. I went to my site in Tab A 2. Then try logging in to Tab B

The above error occurs

In my MVC MVC login view:

v class="col-md-4 col-md-offset-4"> <form class="form-signin" role="form" action=@Url.Action("Login", "Account") method="POST" id="signInForm"> @Html.AntiForgeryToken() <div class="form-group"> <label for="loginEmail">Email</label> <input type="text" id="loginEmail" name="loginEmail" class="form-control" placeholder="Email address" > </div> <div class="form-group"> <label for="loginPassword">Password</label> <input id="loginPassword" type="password" name="loginPassword" class="form-control" placeholder="Password" > </div> <button class="btn btn-lg btn-primary btn-block main-btn" type="submit">Sign in</button> <div> <br> <a href="@Url.Action("Index","GettingStarted")">Register</a><br> <a href="@Url.Action("ForgotPassword","Account")">Forgot your password?</a> </div> </form>

And my account controller is like this:

 [HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public ActionResult Login(LoginModel model) { if (ModelState.IsValid) {

How can I fix this error?

+8
c # asp.net-mvc
source share
1 answer

This is because two browser tabs have the same cookie. Authentication with the first tab sets a new cookie that identifies your username. When the second tab is sent, it will send an updated cookie obtained from successful authentication on the first tab, along with a hidden form field that was downloaded before authentication, which identifies you as an anonymous user. Since the usernames in the cookie and the hidden form do not match, verification is not performed.

AntiForgeryWorker, which uses ValidateAntiForgeryTokenAttribute, encodes the authenticated username in both the cookie field and in the hidden form and ensures that they match when validating. Thus, whenever you authenticate or change users, this check is not performed if you submit it to the action using ValidateAntiForgeryTokenAttribute.

Unfortunately, this means that your capabilities are not limited by protecting the login action with the ValidateAntiForgeryTokenAttribute, ignoring the described script and not allowing you to check or overriding the AntiForgery implementation in MVC, which does not include the username in the verification procedure.

+9
source share

More articles:


All Articles