locked
The provided anti-forgery token was meant for a different claims-based user than the current user: MVC4 RRS feed

  • Question

  • We have a website that automatically logs out after 20 minutes of idle time. Below is code in _layout.ts:

    var idleMax = 200;// Logout after 20 minutes of IDLE
    var idleTime = 0;
    var baseUrl = '<some url>'; // like: 'http://localhost/'
    var webServerUri  = '<some url>'
    
    function timerIncrement() {
        idleTime = idleTime + 1;
        if (idleTime > idleMax) {
            idleTime = 0;
            $.ajax({
                url: baseUrl + "Sys/Home/Logoff"
            });
            window.location.replace(webServerUri + "Sys/Home/Login?returnUrl=" + window.location.href.replace(/&/gi, "%26") + "&isInactive=-1");
        }
    }

    HomeController.cs:

    Sys/Home/Logoff: 

      public ActionResult Logoff()
            {
                Response.Cache.SetCacheability(HttpCacheability.NoCache);
                Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
                Response.Cache.SetNoStore();
                HttpContext.GetOwinContext().Authentication.SignOut();
                return Redirect(VirtualPathUtility.ToAbsolute("~/") + "sys/Home/Login");
            }
            

    Login action: (showing login page):

        [AllowAnonymous]
            public ActionResult Login(string returnUrl)
            {
                ViewBag.ReturnURL = returnUrl;
                if (!String.IsNullOrWhiteSpace(returnUrl))
                {
                    Response.Cache.SetCacheability(HttpCacheability.NoCache);
                    Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
                    Response.Cache.SetNoStore();
                   // HttpContext.GetOwinContext().Authentication.SignOut();
    
                    ViewBag.ReturnURL = returnUrl.Replace("&", "%26");
                }
                return View();
            }

    login.cshtml has begin form section as below:

       @using (Html.BeginForm(new { ReturnUrl = ViewBag.ReturnUrl }))
                    {
                        @Html.AntiForgeryTokenNoEx()
    .
    .
    .
    .<Other code>
    .
    .
    .
    .
    }

    User log out after 20 minutes of idle time. then we again enter same username and password and it gives below error:

    The provided anti-forgery token was meant for a different claims-based user than the current user


    Tuesday, May 31, 2016 10:46 AM