locked
System.Web.WebPages - the anti-forgery token was meant for user \"\", but the current user is \"email@address.com"\."." RRS feed

  • Question

  • User379720387 posted

    I work on several sites within the same domain but different port numbers throughout the day.

    I am getting frequent warning like in the title, and the Elmah logs show some of our clients have the same issue.

    Found some stuff online for MVC, but how does one resolve this for WebPages?

    Wednesday, May 29, 2019 9:06 PM

Answers

  • User1163516801 posted

    The cookies in the same domain are shared with all the applications even if these applications are in different ports. Please refer to https://stackoverflow.com/questions/1612177/are-http-cookies-port-specific for the details explain for this.

    And you can try to publish your applications into different domains try to solve the issue.

    BTW, we cannot reproduce your issue in our side, if the issue is consistence, please share more info about your env and key code snippet with us for further analysis.

    <audio controls="controls" style="display: none;"></audio>

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, June 3, 2019 6:41 AM

All replies

  • User-1174608757 posted

    Hi wavemaster,

    According to your description, this happens because the anti-forgery token embeds the username of the user as part of the encrypted token for better validation.

    When you first call the @Html.AntiForgeryToken() the user is not logged in so the token will have an empty string for the username, after the user logs in, if you do not replace the anti-forgery token it will not pass validation because the initial token was for anonymous user and now we have an authenticated user with a known username.

    So I suggest that you could try below ways :
    1.Just this time let your SPA do a full POST and when the page reloads it will have an anti-forgery token with the updated username embedded.

    2.Have a partial view with just @Html.AntiForgeryToken() and right after logging in, do another AJAX request and replace your existing anti-forgery token with the response of the request.

    3.Just disable the identity check the anti-forgery validation performs. Add the following to your Application_Start method: AntiForgeryConfig.SuppressIdentityHeuristicChecks = true.

    Here is the link I hope it could help you.

    https://stackoverflow.com/questions/14970102/anti-forgery-token-is-meant-for-user-but-the-current-user-is-username

    Best Regards

    Wei

    Thursday, May 30, 2019 5:38 AM
  • User379720387 posted

    I had found that thread, but could not translate those solutions to my WebPages' environment.

    It is not a SPA

    Full post is already happening

    There are no partial views (WebPages = page model)

    There is no Application_Start

    Thursday, May 30, 2019 11:58 AM
  • User1163516801 posted

    The cookies in the same domain are shared with all the applications even if these applications are in different ports. Please refer to https://stackoverflow.com/questions/1612177/are-http-cookies-port-specific for the details explain for this.

    And you can try to publish your applications into different domains try to solve the issue.

    BTW, we cannot reproduce your issue in our side, if the issue is consistence, please share more info about your env and key code snippet with us for further analysis.

    <audio controls="controls" style="display: none;"></audio>

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, June 3, 2019 6:41 AM