Anti forgery token is meant for user "" but the current user is "username"
It happens a lot of times with my application, so I decided to google for it!
I found a simple explanation about this error! The user are double-clicking the button for login! You can see another user talking about that on the link below:
MVC 4 provided anti-forgery token was meant for user "" but the current user is "user"
I hope it helps! =)
This is happening because the anti-forgery token embeds the username of the user as part of the encrypted token for better validation. When you first call the @Html.AntiForgeryToken()
the user is not logged in so the token will have an empty string for the username, after the user logs in, if you do not replace the anti-forgery token it will not pass validation because the initial token was for anonymous user and now we have an authenticated user with a known username.
You have a few options to solve this problem:
Just this time let your SPA do a full POST and when the page reloads it will have an anti-forgery token with the updated username embedded.
Have a partial view with just
@Html.AntiForgeryToken()
and right after logging in, do another AJAX request and replace your existing anti-forgery token with the response of the request.
Note that setting AntiForgeryConfig.SuppressIdentityHeuristicChecks = true
does not disable username validation, it simply changes how that validation works. See the ASP.NET MVC docs, the source code where that property is read, and the source code where the username in the token is validated regardless of the value of that config.
To fix the error you need to place the OutputCache
Data Annotation on the Get ActionResult
of Login page as:
[OutputCache(NoStore=true, Duration = 0, VaryByParam= "None")]
public ActionResult Login(string returnUrl)