Open Closed

Cannot login in 2 tabs because of Anti Forgery #8175


User avatar
0
portx-dev created

① You are logged in and have two tabs open in your browser. ② If you log out of tab 1, you will also be logged out of tab 2. ③ If you enter the correct user and password in tab 1 and log in, you will be able to log in. ④ If you enter the correct user and password in tab 2, you will get a 400 error.

I tried setting AutoValidate = false but it still doesn't solve this problem. https://abp.io/docs/latest/framework/infrastructure/csrf-anti-forgery I checked the error log but there was no error.

  • ABP Framework version: v8.3.2
  • UI Type: Angular
  • Database System: EF Core MySQL
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

9 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    This is ASP NET Core behavior.

    https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-8.0#multiple-browser-tabs-and-the-synchronizer-token-pattern

  • User Avatar
    0
    portx-dev created

    hi

    This is ASP NET Core behavior.

    https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-8.0#multiple-browser-tabs-and-the-synchronizer-token-pattern

    @maliming Is there any way to bypass this behavior on ABP?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Hi

    You can override the Login page and add [IgnoreAntiforgeryToken] attribute.

    And add asp-antiforgery="false" to post form

    <form method="post" asp-antiforgery="false">
        <!-- ... -->
    </form>
    
  • User Avatar
    0
    portx-dev created

    @maliming I use ABP's built-in login completely. AuthServer is a separate project. Where can I change to achieve my desired result?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can add a new class in AuthServer to customize the LoginPage.

    using Microsoft.AspNetCore.Authentication;
    using Microsoft.AspNetCore.Identity;
    using Microsoft.AspNetCore.Mvc;
    using Microsoft.Extensions.Options;
    using Owl.reCAPTCHA;
    using Volo.Abp.Account.ExternalProviders;
    using Volo.Abp.Account.Public.Web;
    using Volo.Abp.Account.Public.Web.Pages.Account;
    using Volo.Abp.Account.Security.Recaptcha;
    using Volo.Abp.Account.Web.Pages.Account;
    using Volo.Abp.DependencyInjection;
    using Volo.Abp.OpenIddict;
    using Volo.Abp.Security.Claims;
    
    namespace MyCompanyName.MyProjectName.Pages;
    
    [IgnoreAntiforgeryToken(Order = 1001)]
    [ExposeServices(typeof(OpenIddictSupportedLoginModel), typeof(LoginModel))]
    public class MyLoginPage : OpenIddictSupportedLoginModel
    {
        public MyLoginPage(
            IAuthenticationSchemeProvider schemeProvider,
            IOptions<AbpAccountOptions> accountOptions,
            IAbpRecaptchaValidatorFactory recaptchaValidatorFactory,
            IAccountExternalProviderAppService accountExternalProviderAppService,
            ICurrentPrincipalAccessor currentPrincipalAccessor,
            IOptions<IdentityOptions> identityOptions,
            IOptionsSnapshot<reCAPTCHAOptions> reCaptchaOptions,
            AbpOpenIddictRequestHelper openIddictRequestHelper)
            : base(schemeProvider, accountOptions, recaptchaValidatorFactory, accountExternalProviderAppService, currentPrincipalAccessor, identityOptions, reCaptchaOptions, openIddictRequestHelper)
        {
    
        }
    }
    
    
  • User Avatar
    0
    portx-dev created

    @maliming I tried your way but still get error 400

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I have tested the code.

    Can you share a simple/template project to reproduce?

    liming.ma@volosoft.com

  • User Avatar
    0
    portx-dev created

    @maliming I have shared source code with you via email

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    ③ If you enter the correct user and password in tab 1 and log in, you will be able to log in. ④ If you enter the correct user and password in tab 2, you will get a 400 error.

    I opened two tabs.

    TabA => account/login TabB => account/login

    If I sign in TabA. the TabB will redirect to home page

    Can you share your step to get the 400 error?

    Thanks.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 01, 2024, 05:35