Hey there!
I've been struggling with a problem for some time now and can't seem to figure it out. I have an ASP.NET MVC project with an added Angular JS project on top of it. I also have a Web API, but that's not important for this issue. The web application itself is driven by the Angular project, which makes calls to the API.
For authentication, I'm using the default system from ASP.NET MVC with the standard Login.cshtml View and AccountController methods for login/logout.
The issue I'm facing is as follows:
When a user logs into the website and then clicks the browser's Back button, they are prompted with the login form again. If they enter their credentials once more, I encounter an HttpAntiForgeryException stating "The provided anti-forgery token was meant for a different claims-based user than the current user."
I've tried solutions like disabling the back button with JavaScript (window.history.forward(1);), but it doesn't work consistently across older browser versions. Reloading the login page doesn't solve the problem either.
Any suggestions?
Thanks in advance!
Update: I've included
AntiForgeryConfig.SuppressIdentityHeuristicChecks = true;
in Application_Start()
and added the following code:
public class HandleAntiForgeryError : ActionFilterAttribute, IExceptionFilter {
#region IExceptionFilter Members
public void OnException(ExceptionContext filterContext)
{
var exception = filterContext.Exception as HttpAntiForgeryException;
if (exception != null)
{
var routeValues = new RouteValueDictionary();
routeValues["controller"] = "Account";
routeValues["action"] = "Login";
filterContext.Result = new RedirectToRouteResult(routeValues);
filterContext.ExceptionHandled = true;
}
}
#endregion }
[HandleAntiForgeryError]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
}
The only remaining issue is that when I click back and try to log in with another user, it fails. It seems to keep me logged in with the previous user. Is there a way to change this behavior so that if I enter new credentials after clicking back, I get logged in with the new user instead?
SOLVED: Turns out, the culprit was this line in my code:
if (User.Identity.IsAuthenticated)
return RedirectToAction("Index", "App");
This line was causing me to be redirected to the index page with the old credentials after logging in with a different user. Removing it fixed the issue.