The anti-forgery token provided was for user "{user}", but the current user is ""
I am having problems with my spoof token after submitting a form. I keep getting this error message:
The anti-forgery token provided is for user "{user}", but the current user is "
The difference between what others have asked here and with mine is that it says the current user is empty and the anti-spoof token is looking for the user. It doesn't make any sense, because when I checked HttpContext.Current.User.Identity.Name and Membership.GetUser (). UserName , they have an anti-spoofing token of the user being searched. It doesn't make any sense.
NewRecordEntry.cshtml
<h2>New Record</h2>
@using (Html.BeginForm())
{
@Html.AntiForgeryToken()
<div id="new-record-entry">
@Html.DropDownListFor(model => model.recordTypeID, Model.GetRecordTypeList())
</div>
<input type="submit" name="NewRecordEntry" id="continue" size="11" />
}
controller
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult NewRecordEntry(FormCollection frm, NewRecordEntryViewModel nrevm)
{
TempData["NewRecordEntry"] = nrevm;
return RedirectToAction("NewRecord", "FakeController");
}
Authentication filter
public class FakeAuthenticationFilter : ActionFilterAttribute, IAuthenticationFilter
{
public void OnAuthentication(AuthenticationContext filterContext)
{
// Get userData stored in a session. Workplace environment does not allow cookies
UserData userData = (UserData) filterContext.HttpContext.Session[UserInfo.SessionUser];
if (userData != null)
{
// Get identity and principal
var identity = new GenericIdentity(UserInfo.SessionUser, "Forms");
var principal = new FakePrincipal(identity);
principal.UserData = userData;
// Set the context user.
HttpContext.Current.User = principal;
}
else
{
filterContext.Result = new RedirectResult("~/Login");
}
}
public void OnAuthenticationChallenge(AuthenticationChallengeContext filterContext)
{
}
}
membership
public class FakeMembershipProvider : MembershipProvider
{
public override bool ValidateUser(string username, string password)
{
// Check if this is a valid user.
// The application sends the username and password to an LDAP DLL which
// reurns "Success" if it was a match.
string result = LoginService.AuthenticateUser(username, password);
if (result == "Success")
{
return true;
}
return false;
}
public override MembershipUser GetUser(string username, bool userIsOnline)
{
if (LoginService.UserData != null)
{
return new MembershipUser("FakeMembershipProvider",
username, LoginService.UserData.UserID,
null, null, null, true, false,
DateTime.MinValue, DateTime.MinValue, DateTime.MinValue,
DateTime.MinValue, DateTime.MinValue);
}
return null;
}
}
Input Mail Controller
#region Login Post Controllers
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Login(FormCollection frm, LoginViewModel lvm, string returnUrl)
{
List<string> errorList = null;
try
{
if (ModelState.IsValid)
{
string result = Services.ValidateLogin(lvm);
if (result == "Success")
{
if (Url.IsLocalUrl(returnUrl)
&& returnUrl.Length > 1
&& returnUrl.StartsWith("/")
&& !returnUrl.StartsWith("//")
&& !returnUrl.StartsWith("/\\"))
{
return base.Redirect(returnUrl);
}
return base.RedirectToAction("Index");
}
else
{
TempData["errors"] = result;
ModelState.AddModelError("", result);
}
}
else
{
errorList = Services.AddErrorMesagesToView(ModelState);
TempData["errors"] = errorList;
}
//return base.RedirectToAction("Admin", new { section = section });
ModelState.Clear();
return View(new LoginViewModel());
}
catch (NullReferenceException ne)
{
if (ne.Source != null)
Console.WriteLine("NullReferenceException source: {0}", ne.Source);
}
catch (HttpException he)
{
if (he.Source != null)
Console.WriteLine("HttpException source: {0}", he.Source);
}
catch (Exception e)
{
if (e.Source != null)
Console.WriteLine("Exception source: {0}", e.Source);
}
finally
{
ModelState.Clear();
}
return base.RedirectToAction("Login");
}
#endregion
ValidateLogin
public static string ValidateLogin(LoginViewModel lvm)
{
/* string ldapServer = WebConfigurationManager.AppSettings["LDAPServer"];
string result = Fakeauthenticate.Fakeauth.LdapAuth(lvm.Login, lvm.Password, ldapServer);
*/
string result = null;
const int INACTIVE = 1;
FakeEntities db = new FakeEntities();
// This is the only feasible way to call an SQL user-defined scalar function
string sqlQuery = "SELECT [dbo].[Util_GetUserActivationStatus] ({0})";
Object[] parameters = { lvm.Login };
int status = db.Database.SqlQuery<int>(sqlQuery, parameters).FirstOrDefault();
if (status == INACTIVE)
{
return "The user is currently locked out.";
}
if (Membership.ValidateUser(lvm.Login, lvm.Password))
{
HttpContext.Current.Session[UserInfo.SessionUser] = LoginBusiness.GetUserData(lvm.Login);
HttpContext.Current.Session.Timeout = UserInfo.Timeout;
result = "Success";
}
else
{
result = LoginBusiness.AuthenticateUser(lvm.Login, lvm.Password);
if (result == "Login_Failure")
{
if (HttpContext.Current.Session[lvm.Login] == null)
{
HttpContext.Current.Session[lvm.Login] = 1;
}
else
{
uint loginFailures = (uint)HttpContext.Current.Session[lvm.Login];
HttpContext.Current.Session[lvm.Login] = ++loginFailures;
// If the maximum number of login failures have been reached, then lock the user out.
if ((uint)HttpContext.Current.Session[lvm.Login] == UserInfo.MAX_LOGIN_FAILURES)
{
db.Util_LockUserOut(lvm.Login);
return "Your account has been temporarily locked.";
}
}
}
}
return result;
}
source to share
You should check if your form has more than one @Html.AntiForgeryToken()
. If so, remove all but one.
Also make sure you don't submit the form twice. It will ruin AntiForgeryToken
.
If you want to disable this check, add the following to your method Application_Start
:
AntiForgeryConfig.SuppressIdentityHeuristicChecks = true
source to share
The problem is with your FakeAuthenticationFilter. I am assuming you are using this filter for the controller action that loads the page. FakeAuthenticationFilter sets HttpContext.Current.User = new FakePrincipal (identifier). This principal probably has a Name property that you see in the error message .. NET uses this Principal to generate tokens on the page, but when you submit tokens the HttpContext will not have the same Principal.
The solution might be to set the FakeAuthenticationFilter to the NewRecordEntry action.
source to share