The standard Login razor page has an issue when you do the following
- Make sure you are logged out
- Open 2 tabs in the same browser, with the login page on both
- Login in on 1 tab, then try to log in on the 2nd tab
When you log in with the 2nd tab a 400 error is generated A easy fix to this is to add "[IgnoreAntiforgeryToken]" to the login page.
My understanding is the Antiforgery Token is used to stop someone generating a post request that will run under the context of the currently logged in user, but as the login page is public, I don't see how this would improve security for the log on page.
But if this is the case why do Microsoft not do this for the standard logon page? Is their any security implications to adding "[IgnoreAntiforgeryToken]" to this page?
If I was to do this, its probably best to also add something like this (untested) as if the user logged in as someone else on the 2nd tab, that could cause 400 errors further down the line
public async Task<IActionResult> OnPostAsync(string returnUrl = null)
{
if(User.Identity.IsAuthenticated)
{
var LoggenInAsCurrentUser = (User.Identity.Name == Input.Email);
return RedirectToPage(LoggenInAsCurrentUser ? "/Homepage" : "/LoggedinAsOtherUser");
}
After further review I decided to go with the approach shown in the related questions, this may be a little more complicated approach, but it has the benefit of capturing any AntiforgeryToken errors not just those on the logon page and allowing them to be logged.