The provided anti-forgery token was meant for a different claims-based user than the current user

Question

I tried to use [ValidateAntiForgeryToken] attribute before of my action.If I go to this action without login, worked currently. but, If I log-in via ajax before call this action get this error.

The provided anti-forgery token was meant for a different claims-based user than the current user.

I use in my login form @Html.AntiForgeryToken() that exist inside of website layout . and from that post to the up action has @Html.AntiForgeryToken().I try to use Salt but get error .I use in action [ValidateAntiForgeryToken] attribute.

  [ValidateAntiForgeryToken]
    [ValidateInput(true)]
    public ActionResult PrePaymentBank(CharterParam charterParam, string MobileForSMS){}

What is problem?

Answer 1

I got this today and the fix was Replace [ValidateAntiForgeryToken] with [AutoValidateAntiforgeryToken]

.NET Core 2 changed the process where you can not suppress the user. Sorry if your not using .NET Core 2.

https://github.com/aspnet/Antiforgery/blob/dev/src/Microsoft.AspNetCore.Antiforgery/Internal/DefaultAntiforgeryTokenGenerator.cs

Answer 2

The anti-forgery token is generated for your anonymous user when the page initially renders (i.e. that's when the @Html.AntiForgeryToken() method runs).

When you log in via an AJAX request, you change from being an anonymous user to being your logged in user.

When you later submit the form with the anti-forgery token that was generated for the anonymous user, the validation fails because (as the exception states)

the "token was meant for a different claims-based user [i.e. the anonymous user] than the current user [i.e. your logged in self]"

To resolve the problem, you will need to ensure that the anti-forgery token is regenerated after the successful login AJAX request.