AntiforgeryValidationException problem with two users #3338 | Support

dev3.advantiss created 2 years ago

User_1 get AntiforgeryValidationException, because cookie XSRF-TOKEN changed/removed after login User_2, but error message does not reflect real situation... Do you have any variants for solution this problem? Maybe, change error message or login User_1 with logout User_2?

ABP Framework version: v4.3.3
UI type: Angular
DB provider: MongoDB
Tiered (MVC) or Identity Server Separated (Angular): yes
Exception message and stack trace: [15:36:39 INF] Route matched with {page = "/Account/Login", action = "", controller = "", area = ""}. Executing page /Account/Login [15:36:39 INF] Skipping the execution of current filter as its not the most effective filter implementing the policy Microsoft.AspNetCore.Mvc.ViewFeatures.IAntiforgeryPolicy [15:36:39 INF] Antiforgery token validation failed. The antiforgery cookie token and request token do not match. Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery cookie token and request token do not match. at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet) at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext) at Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.ValidateAntiforgeryTokenAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context) [15:36:39 INF] Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter'. [15:36:39 INF] Executing HttpStatusCodeResult, setting HTTP status code 400 [15:36:39 INF] Executed page /Account/Login in 142.0991ms [15:36:39 INF] Executed endpoint '/Account/Login'

Steps to reproduce the issue:" User 1 and User 2 try to login in one browser

User 1: Open Login page
User 2: Open Login Page, Authorization and return to main site
User 1: Try to Authorization and get AntiforgeryValidationException error

Best regards, Advantiss Inc

Go to accepted answer

2 Answer(s)

0

liangshiwei created 2 years ago
Support Team Fullstack Developer

HI,

I will check it.

liangshiwei created 2 years ago

Support Team Fullstack Developer

Hi,

This is design by Microsoft.

You can try this if you need:

public class MyValidateAntiforgeryTokenFilter : IAsyncAuthorizationFilter, ITransientDependency , IAntiforgeryPolicy
{
    private readonly IAntiforgery _antiforgery;

    public MyValidateAntiforgeryTokenFilter(IAntiforgery antiforgery)
    {
        _antiforgery = antiforgery;
    }

    public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
    {
        if (HttpMethods.IsPost(context.HttpContext.Request.Method) && context.ActionDescriptor.DisplayName == "/Account/Login")
        {
            try
            {
                await _antiforgery.ValidateRequestAsync(context.HttpContext);
            }
            catch (AntiforgeryValidationException)
            {
                // redirect to index page
                context.Result = new RedirectResult("/");
            }
        }
    }
}

Configure<MvcOptions>(options =>
{
    options.Filters.AddService<MyValidateAntiforgeryTokenFilter>(2000);
});

Have an answer to this question? Log in and write your answer.