Issue when Login While BO login exist. getting anti-forgery token issue

When i login as a B2B customer getting the following error(The provided anti-forgery token was meant for a different claims-based user than the current user ).

It happens when i try login to a B2B account without refresh the login page while Back Office is already logged in the same browser for same site.

I think it is handled by data annotation [ValidateAntiForgeryToken] before Login POST api.

How can I keep B2B login without falling error on this scenario?

Litium version 7.6.1

The reason for this error is how the AntiForgeryToken is built. For not logged in visitors a cookie is used and for logged in users the authentication data is used. So when the user is logging in the validation information is changed from cookie to authentication data and then when the select organization view will post data it still have old information based on the cookie instead of authentication data. As I know this will only happen if the person that logging in belongs to multiple organizations.

To get this to work you need to change the login page, something like this with a redirect between the login screen and the select organization screen.

Thank You @patric.forsgard for the response,
Here in my case scenario is different , Here both user have login

1 is Back office login
another is a b2b customer login on same url.

The error returns from data annotation “[ValidateAntiForgeryToken]” before hitting the Login Post method.

Is there any way i can clear the authentication data of Backoffice while login.

Steps to recreate.

  1. Go to B2B Login page(Do not login)
  2. Login to litium Backoffice in a new tab in same Browser
  3. Login as a B2B customer in already open tab without refreshing the page.

You can call SignOut() on Litium.Security.AuthenticationService for the initial page-load (get-request) of the login-page, then all users should be logged out. Not sure if that can be done in the same request as the form is shown for the user of if you need to do a redirect with something like this (not tested code)

if (User.Identity.IsAuthenticated)
    // _authenticationService is injected and set in the ctor to the Litium.Security.AuthenticationService
    return Redirect(Request.Uri.PathAndQuery);

Here All the users getting logged out during initial page-load (get-request) of the login-page.
Error comes when

  1. load the login page (keep it there without login)
    2.Login to litium back office from another tab in same browser.
  2. login as a B2b Customer through the page previously loaded( without refreshing).

When you open a new tab and logging in, you changing the user in all tabs, not only the second tab. So when you open the new tab and logging in the session will be transformed from “not logged in visitor” to “logged in” and then the AntiForgeryToken is not valid any more.

You have several options to solve this

  • Use separate domain names for public site and back office
  • Switch to a browser that not share information between the tabs or windows
  • Use different browsers for the public site and back office
  • Remove AntiForegeryToken-attribute on the controllers, not recommended due to XSS
  • Re-implement the AntiForgeryToken logic so that it working as you want, not recommended due security complexity and XSS

This may be an issue for the developer and maybe by merchant if they switching from public site to back office together with switching of user. It will not be an issue for the visitors on the site because they should never login on the back office login page so this scenario will not happen.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.