current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 1 down vote favorite
2

Good day!

I'm dealing with an issue for some time now and can't seem to find a solution. I have an usual ASP.NET MVC project on 'top' of which I added an Angular JS project. I also have a Web API, but this is not relevant for my issue. The web application itself is the Angular project, making calls to the API.

I used the default authentication system from ASP.NET MVC using the default Login.cshtml View and default AcountController methods for login/logout.

The problem I'm dealing with is the following:

A user enters the website and is prompted with the login form. After inserting valid account details, he is redirected to the main page (index, from the angular js project). IF the user clicks on the Back button of the browser, he is prompted with login form again and if he inserts his user and password again (or any other sign-in details), I receive a HttpAntiForgeryException with the following message: "The provided anti-forgery token was meant for a different claims-based user than the current user."

I tried disabling the back button with javascript (window.history.forward(1);), but it doesn't work apparently on older browser versions and it's by far an elegant solution. I tried reloading the login page (because after clicking back, if you reload the page you will be redirected to the index page (since the session is still valid)) and none of these solutions really work.

Any ideas?

Thank you in advance!

Update: so far I've included AntiForgeryConfig.SuppressIdentityHeuristicChecks = true; in Application_Start() and also this:

public class HandleAntiForgeryError : ActionFilterAttribute, IExceptionFilter {
    #region IExceptionFilter Members

    public void OnException(ExceptionContext filterContext)
    {
        var exception = filterContext.Exception as HttpAntiForgeryException;
        if (exception != null)
        {
            var routeValues = new RouteValueDictionary();
            routeValues["controller"] = "Account";
            routeValues["action"] = "Login";
            filterContext.Result = new RedirectToRouteResult(routeValues);
            filterContext.ExceptionHandled = true;
        }
    }

    #endregion }

[HandleAntiForgeryError]
 public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
    {
    }

The only issue left is when I click back and try to login with another user it fails. Meaning I remain logged in with the previous user. I expect this to be normal, but is there a way to change that (as in when I click back and enter other user's credentials, to get logged in with those new credentials (even though I'm already logged in)).

SOLVED: In my code I had the following line: 

         if (User.Identity.IsAuthenticated)
        return RedirectToAction("Index", "App");

That is why after logging in with another user I was being redirected to index being logged in with the old credentials.

share|improve this question
add comment

1 Answer

up vote 0 down vote

I had this same issue and i solved this issue by adding following line in Application_Start() event in Global.asax in my case:

AntiForgeryConfig.SuppressIdentityHeuristicChecks = true;

Also add this in Application_Error():

Exception ex = Server.GetLastError();
            if (ex is HttpAntiForgeryException)
            {
                Response.Clear();
                Server.ClearError(); //make sure you log the exception first
                Response.Redirect("~/Home/Index", true);
            }
share|improve this answer
    
thanks for the answer. adding this line generated another exception: "The provided anti-forgery token was meant for user "", but the current user is "admin"." admin being the user I logged in with. –  user2642287 May 8 at 11:46
    
So this might allow attacker to login via xsrf with alternative (stolen or registered elsewhere) credentials. Whether or not this would be problematic is debatable, especially if all other functions are xsrf protected. –  spender May 8 at 11:49
    
i don't know in depth what this do but it solved my problem. –  Ehsan Sajjad May 8 at 11:51
    
See edit it should work now –  Ehsan Sajjad May 8 at 11:52
    
spender, indeed, suppressing the exception is not a solution. however, can't seem to find one. –  user2642287 May 8 at 11:54
show 1 more comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.