ASP.Net MVC provides an anti-forgery mechanism using the methods @Html.AntiForgeryToken()
and the [ValidateAntiForgeryToken]
attribute.
I developed a web application using this mechanism for login, as the MVC template automatically provides this code. It worked fine using Chrome, but when I tried out the application in Internet Explorer, a couple of errors occurred relating to it:
Anti-forgery token is meant for user “” but the current user is “username”
The provided anti-forgery token was meant for a different claims-based user
The different answers on SO and various blogs offered no solution:
- setting
AntiForgeryConfig.SuppressIdentityHeuristicChecks
to true - exchanging the anti-forgery token
- changing
AntiForgeryConfig.UniqueClaimTypeIdentifier
The solution that finally worked destroys the current ASP.Net session and signs out if the user is currently logged in:
[AllowAnonymous] public ActionResult Login(string returnUrl) { Session.Abandon(); if (AuthenticationManager.User.Identity.IsAuthenticated) AuthenticationManager.SignOut(); ViewBag.ReturnUrl = returnUrl; return View(); }
Nice solution, but I put the following on the Login view: if Authenticated “you are already loggedin”, and a Logout button.