Last post Mar 03, 2015 10:16 AM by nagarajas
Mar 02, 2015 11:05 AM|nagarajas|LINK
I working with implementing XSRF protection for our ASP.Net MVC project.
I added @Html.AntiForgeryToken() in my razor form (in the layout page) to have the AF token generated. I'm passing this __RequestVerificationToken for each request under request header.
We've a custom AFT handler which validates the token for each request (algorithm as below).
Step 1: Read the AFT cookie value. (var cookie = System.Web.HttpContext.Current.Request.Cookies[AntiForgeryConfig.CookieName];)
Step 2: Read the passed header value and assign it to a variable called formToken
Step 3: Perform validation. (AntiForgery.Validate(cookie.Value, formToken);)
When I run the application, the validation works fine. But if I close the tab (without closing the browser) and reopen another tab and try the page, the validation fails saying "The provided anti-forgery token was meant for a different claims-based user
than the current user".
So for each time, I've to close & re-open the whole browser for the validation to work. It doesn't look right to me.
Can someone please let me know if this is the desired behavior of AntiForgeryToken validation? or can this be resolved?
Mar 03, 2015 02:23 AM|Michelle Ge - MSFT|LINK
According to the error message, you can try to add the following line in Application_Start() event in
Global.asax in my case:
AntiForgeryConfig.SuppressIdentityHeuristicChecks = true;
There is a similar thread with the same error message, please refer to the link below:
Hope it's useful for you.
Mar 03, 2015 10:16 AM|nagarajas|LINK
Thanks Michelle. I'll try this and will update.