When i login as a B2B customer getting the following error(The provided anti-forgery token was meant for a different claims-based user than the current user ).
The reason for this error is how the AntiForgeryToken is built. For not logged in visitors a cookie is used and for logged in users the authentication data is used. So when the user is logging in the validation information is changed from cookie to authentication data and then when the select organization view will post data it still have old information based on the cookie instead of authentication data. As I know this will only happen if the person that logging in belongs to multiple organizations.
To get this to work you need to change the login page, something like this with a redirect between the login screen and the select organization screen.
You can call SignOut() on Litium.Security.AuthenticationService for the initial page-load (get-request) of the login-page, then all users should be logged out. Not sure if that can be done in the same request as the form is shown for the user of if you need to do a redirect with something like this (not tested code)
if (User.Identity.IsAuthenticated)
{
// _authenticationService is injected and set in the ctor to the Litium.Security.AuthenticationService
_authenticationService.Signout();
return Redirect(Request.Uri.PathAndQuery);
}
When you open a new tab and logging in, you changing the user in all tabs, not only the second tab. So when you open the new tab and logging in the session will be transformed from “not logged in visitor” to “logged in” and then the AntiForgeryToken is not valid any more.
You have several options to solve this
Use separate domain names for public site and back office
Switch to a browser that not share information between the tabs or windows
Use different browsers for the public site and back office
Remove AntiForegeryToken-attribute on the controllers, not recommended due to XSS
Re-implement the AntiForgeryToken logic so that it working as you want, not recommended due security complexity and XSS
This may be an issue for the developer and maybe by merchant if they switching from public site to back office together with switching of user. It will not be an issue for the visitors on the site because they should never login on the back office login page so this scenario will not happen.