{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 霸刀☆藐视天下 的问题《MVC 4 provided anti-forgery token was meant for us》','https://www.manongdao.com/q-165960.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I've recently put Live a web application which was built using MVC 4 and Entity Framework 5. The MVC application uses Razor Views.
I noticed using Elmah that when users are logging into the application, sometimes they are getting the following error
The provided anti-forgery token was meant for user "" but the current user is "user"
I've done a bit of research already on how to fix this issue, but nothing seems to work for me. Please see my Login View and corresponding Controller Actions below.
Razor View
@if (!HttpContext.Current.User.Identity.IsAuthenticated)
{
using (Html.BeginForm())
{
@Html.AntiForgeryToken()
@Html.ValidationSummary(true)
<div class="formEl_a">
<fieldset>
<legend>Login Information</legend>
<div class="lbl_a">
Email
</div>
<div class="editor-field">
@Html.TextBoxFor(m => m.Email, new { @class = "inpt_a" })<br />
@Html.ValidationMessageFor(m => m.Email)
</div>
<div class="lbl_a">
@Html.LabelFor(m => m.Password)
</div>
<div class="editor-field sepH_b">
@Html.PasswordFor(m => m.Password, new { @class = "inpt_a" })<br />
@Html.ValidationMessageFor(m => m.Password)
</div>
</fieldset>
</div>
<br />
<p>
<input type="submit" value="Log In" class="btn btn_d sepV_a" />
</p>
}
}
Controller
[AllowAnonymous]
public ActionResult Login()
{
return View();
}
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model, string returnUrl)
{
if (ModelState.IsValid && _accountService.Logon(model.Email, model.Password, true))
{
//Validate
}
else
{
// inform of failed login
}
}
I thought this all looked OK, but still the error persists. Does any have any ideas on how to fix this problem?
Your help is greatly appreciated.
Thanks.
I had the same problem when
I found this was happening only in IE and I fixed it by doing a couple of things
On the login page I added a check to see if the user is already authenticated, and if so logged out the user, and then redirected to the Login page again.
I believe this is occurring because the users are double-clicking the submit button on the form. At least that's EXACTLY the case on my site.
Troubleshooting anti-forgery token problems
The validation code that runs against an AntiForgeryToken also checks your logged in user credentials haven’t changed – these are also encrypted in the cookie. This means that if you logged in or out in a popup or another browser tab, your form submission will fail with the following exception:
You can turn this off by putting
AntiForgeryConfig.SuppressIdentityHeuristicChecks = true;inApplication_Startmethod insideGlobal.asaxfile.When a AntiForgeryToken doesn’t validate your website will throw an Exception of type
System.Web.Mvc.HttpAntiForgeryException. You can make this a little easier by at least giving the user a more informative page targeted at these exceptions by catching the HttpAntiForgeryException.More info:
Anti forgery token is meant for user “” but the current user is “username”
Html.AntiForgeryToken – Balancing Security with Usability