KNOWLEDGE BASE

The provided anti-forgery token was meant for user "[email protected]", but the current user is "".

Posted by: Simon Steed
Posted in: Umbraco Security
24 April 2020

If you have a form which uses Html.AntiForgeryToken() (of which you should always do!) and get this error, here is a way to handle it.

What is happening here is that the form is typically handled behind a login page to the site. Your session expires whilst filling in the form, then when you come to submit the form, your user id is no longer what it was originally and .net says you are trying to forge the request hence the error.

A quick search on StackOverflow pulls up this gem:

This is happening because the anti-forgery token embeds the username of the user as part of the encrypted token for better validation. When you first call the @Html.AntiForgeryToken() the user is not logged in so the token will have an empty string for the username, after the user logs in, if you do not replace the anti-forgery token it will not pass validation because the initial token was for anonymous user and now we have an authenticated user with a known username.

You have a few options to solve this problem:

  1. Just this time let your SPA do a full POST and when the page reloads it will have an anti-forgery token with the updated username embedded.

  2. Have a partial view with just @Html.AntiForgeryToken() and right after logging in, do another AJAX request and replace your existing anti-forgery token with the response of the request.

  3. Just disable the identity check the anti-forgery validation performs. Add the following to your Application_Start method: AntiForgeryConfig.SuppressIdentityHeuristicChecks = true.

You can also do the following.

In Umbraco, we can override the default Global.Asax file and add our own custom class. We need to do it this way as once submitted, the error is thrown before the controller is hit hence you cannot use the controller.

Simply create a new class file called global.asax.cs and copy the code below into it. Then modify the default Umbraco Global.asax file to reference this new class.

 

Global.asax:
<%@ Application Codebehind="Global.asax.cs" Inherits="project.Web.CustomGlobal" Language="C#" %>

Global.asax.cs:

using System;
using System.Web.Mvc;
using Umbraco.Web;

namespace project.Web
{
    public class CustomGlobal : UmbracoApplication
    {
        protected override void OnApplicationError(object sender, EventArgs e)
        {
            // do other error handling here as you need to
            Exception ex = Server.GetLastError();
            if (ex is HttpAntiForgeryException)
            {
                Response.Clear();
                Server.ClearError(); //make sure you log the exception first
                Response.Redirect("/", true);
            }
        }
    }
}

This is an original article written by Simon Steed, owner of farmcode.org

Need an Umbraco Master?

Here at Simon Antony, we have an in house certified Umbraco Grand Master available for hire. Got a problem with your site, need architecture advice, give us a call to speak to Simon directly and see how we can help

Contact Simon Today!

Need help?

We have Umbraco and Wordpress specialists on hand ready to help you with your site problems.

Help Me!

Topics

Umbraco 7 Security anti-forgery Application_Error Umbraco 8

Get social with us!

Umbraco freelancer based in North Wales & serving the world!

© 2016-2024 All rights reserved Simon Antony