How can I fix anti-forgery token was meant for user “”, but the current user is “xxxx ” error

Question

The provided anti-forgery token was meant for user \"\", but the current user is \"xxxx \".

I have followed every single solution possible to get rid of this error wit

Answer 1

This happens because the two browser tabs share the same cookie store. Authenticating with the first tab sets a new cookie that identifies your username. When the second tab is submitted it will pass the updated cookie retrieved from the successful authentication in the first tab, along with the hidden form field that was loaded before authentication that identifies you as an anonymous user. Because the usernames in the cookie and the hidden form field don't match the validation fails.

The AntiForgeryWorker that ValidateAntiForgeryTokenAttribute uses encodes the authenticated username into both the cookie and the hidden form field and ensures they both match when validating. As such whenever you authenticate, or change users this validation will fail, if posting to an action with the ValidateAntiForgeryTokenAttribute.

Unfortunately this means your options are limited to not protecting the login action with ValidateAntiForgeryTokenAttribute, Ignoring the scenario that you describe and letting validation fail, or reimplementing the AntiForgery implementation in MVC such that is does not include the username in the validation procedure.