Link to home
Start Free TrialLog in
Avatar of mikha
mikhaFlag for United States of America

asked on

The provided anti-forgery token was meant for user "", but the current user is "testUser".

I am running to an issue when I try to login to my site from two tabs in a browser. after logged in the first tab, when i try to log in into 2nd tab, i get the exception "The provided anti-forgery token was meant for user "", but the current user is "testUser".  I believe the anti-forgery token also encrypts username and when i try to log in from second tab, the username doesn't match with the user already logged in.

I found few posts regarding the similar problem, but couldn't decide the best solution without leaving the site vulnerable to CSRF attack.
Avatar of AndyAinscow
AndyAinscow
Flag of Switzerland image

Just login once from one tab in that case.
Use another browser or a secure tab (like Chrome incognito).
The anti-forgery token is designed to work this way (per session)
Avatar of mikha

ASKER

there are sites which work on both tabs when logged in. so what is the workaround, if any, to make login possible from both tabs?
Avatar of mikha

ASKER

one more thing was, as this is happening, when i log in on first tab, then i close the browser without logging out. then try to log in into second
window/tab, it throws the same exception.
It will because the session is still active
Avatar of mikha

ASKER

@thanks shaun.

1. how are such situations handled then? Do we abandon the session when user closes the browser?
2. also for my original question, about logging in from two different tabs/windows, i have seen banking applications lets you do that. is there a way we can achieve this in asp.net, without compromising on security?
ASKER CERTIFIED SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mikha

ASKER

thanks again @shaun.

so i did this. i check if the user is already authenticated if yes. i log out the user. this will serve the purpose, where client is logged in, in one window and if they try to go to login page from another window/tab, they will be logged out and will have to log back in.

now another case is, if they already have two windows open with the login page, if they log into one and then come to second window and try to login again. the application will throw same exception --> "The provided anti-forgery token was meant for user ".
i know this can be caught in Application_Error function in the Global.asax file. in this Applicaton_error function, i can redirect user to the login page again, but it is not a elegant solution since nothing will happen, from user's point of view.

is there a better way to let user know, they are logged in , in another window or "you are logged out , refresh the page and try logging in again.

public ActionResult Login() {
   if(this.Request.IsAuthenticated){
       //log out the user  
}
}
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial