Anti forgery token is meant for user “” but the current user is “username”

by

This is happening because the anti-forgery token embeds the username of the user as part of the encrypted token for better validation. When you first call the @Html.AntiForgeryToken() the user is not logged in so the token will have an empty string for the username, after the user logs in, if you do not replace the anti-forgery token it will not pass validation because the initial token was for anonymous user and now we have an authenticated user with a known username.

You have a few options to solve this problem:

  1. Just this time let your SPA do a full POST and when the page reloads it will have an anti-forgery token with the updated username embedded.

  2. Have a partial view with just @Html.AntiForgeryToken() and right after logging in, do another AJAX request and replace your existing anti-forgery token with the response of the request.

Note that setting AntiForgeryConfig.SuppressIdentityHeuristicChecks = true does not disable username validation, it simply changes how that validation works. See the ASP.NET MVC docs, the source code where that property is read, and the source code where the username in the token is validated regardless of the value of that config.

More Related Contents:

  1. How do I use my own database with SimpleMembership and WebSecurity? What is MVC4 security all about?
  2. Submit same Partial View called multiple times data to controller?
  3. ASP.NET MVC 4 Custom Authorize Attribute with Permission Codes (without roles)
  4. Pass data to layout that are common to all pages
  5. How to validate file type of HttpPostedFileBase attribute in Asp.Net MVC 4?
  6. How to add reference to System.Web.Optimization for MVC-3-converted-to-4 app
  7. How to add global ASP.Net Web Api Filters?
  8. Role based authentication in the new MVC 4 Internet template using simplemembership
  9. unobtrusive validation not working with dynamic content
  10. Mixing Web Api and ASP.Net MVC Pages in One Project
  11. ViewModels or ViewBag?
  12. How to create ASP.NET Web API Url?
  13. ASP.NET 4.5 has not been registered on the Web server
  14. ASP.NET MVC 4 custom Authorize attribute – How to redirect unauthorized users to error page? [duplicate]
  15. The required anti-forgery form field “__RequestVerificationToken” is not present Error in user Registration
  16. MVC 4 Beta side by side installation error
  17. How to add ASP.NET Membership Provider in a Empty MVC 4 Project Template?
  18. MVC 4 date culture issue?
  19. WebApi Json.NET custom date handling
  20. where should i place the js script files in a mvc application so jquery works well?
  21. What effect does the new precompile during publishing option have on MVC4 applications?
  22. ASP.NET MVC 4 Editor Template for basic types
  23. Automatic Migrations for ASP.NET SimpleMembershipProvider
  24. Problems implementing ValidatingAntiForgeryToken attribute for Web API with MVC 4 RC
  25. MVC Force jQuery validation on group of elements
  26. MVC4 HTTP Error 403.14 – Forbidden
  27. Proper JSON serialization in MVC 4
  28. mvc uppercase Model vs lowercase model
  29. How to add jQueryUI library in MVC 5 project?
  30. Jquery post and unobtrusive ajax validation not working mvc 4

Leave a Comment