ASP.Net MVC provides an anti-forgery mechanism using the methods @Html.AntiForgeryToken() and the [ValidateAntiForgeryToken] attribute.
I developed a web application using this mechanism for login, as the MVC template automatically provides this code. It worked fine using Chrome, but when I tried out the application in Internet Explorer, a couple of errors occurred relating to it:
Anti-forgery token is meant for user “” but the current user is “username”
The provided anti-forgery token was meant for a different claims-based user
The different answers on SO and various blogs offered no solution:
- setting
AntiForgeryConfig.SuppressIdentityHeuristicChecksto true - exchanging the anti-forgery token
- changing
AntiForgeryConfig.UniqueClaimTypeIdentifier
The solution that finally worked destroys the current ASP.Net session and signs out if the user is currently logged in:
[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
Session.Abandon();
if (AuthenticationManager.User.Identity.IsAuthenticated)
AuthenticationManager.SignOut();
ViewBag.ReturnUrl = returnUrl;
return View();
}
Nice solution, but I put the following on the Login view: if Authenticated “you are already loggedin”, and a Logout button.