Open Closed

AntiforgeryValidationException problem with two users #3338


User avatar
0
dev3.advantiss created

User_1 get AntiforgeryValidationException, because cookie XSRF-TOKEN changed/removed after login User_2, but error message does not reflect real situation... Do you have any variants for solution this problem? Maybe, change error message or login User_1 with logout User_2?

  • ABP Framework version: v4.3.3
  • UI type: Angular
  • DB provider: MongoDB
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace: [15:36:39 INF] Route matched with {page = "/Account/Login", action = "", controller = "", area = ""}. Executing page /Account/Login [15:36:39 INF] Skipping the execution of current filter as its not the most effective filter implementing the policy Microsoft.AspNetCore.Mvc.ViewFeatures.IAntiforgeryPolicy [15:36:39 INF] Antiforgery token validation failed. The antiforgery cookie token and request token do not match. Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery cookie token and request token do not match. at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet) at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext) at Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.ValidateAntiforgeryTokenAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context) [15:36:39 INF] Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter'. [15:36:39 INF] Executing HttpStatusCodeResult, setting HTTP status code 400 [15:36:39 INF] Executed page /Account/Login in 142.0991ms [15:36:39 INF] Executed endpoint '/Account/Login'

  • Steps to reproduce the issue:" User 1 and User 2 try to login in one browser
  1. User 1: Open Login page
  2. User 2: Open Login Page, Authorization and return to main site
  3. User 1: Try to Authorization and get AntiforgeryValidationException error

Best regards, Advantiss Inc


2 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team

    HI,

    I will check it.

  • User Avatar
    0
    liangshiwei created
    Support Team

    Hi,

    This is design by Microsoft.

    You can try this if you need:

    public class MyValidateAntiforgeryTokenFilter : IAsyncAuthorizationFilter, ITransientDependency , IAntiforgeryPolicy
    {
        private readonly IAntiforgery _antiforgery;
    
        public MyValidateAntiforgeryTokenFilter(IAntiforgery antiforgery)
        {
            _antiforgery = antiforgery;
        }
    
        public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
        {
            if (HttpMethods.IsPost(context.HttpContext.Request.Method) && context.ActionDescriptor.DisplayName == "/Account/Login")
            {
                try
                {
                    await _antiforgery.ValidateRequestAsync(context.HttpContext);
                }
                catch (AntiforgeryValidationException)
                {
                    // redirect to index page
                    context.Result = new RedirectResult("/");
                }
            }
        }
    }
    
    Configure<MvcOptions>(options =>
    {
        options.Filters.AddService<MyValidateAntiforgeryTokenFilter>(2000);
    });
    
Made with ❤️ on ABP v9.1.0-rc.1. Updated on January 17, 2025, 14:13