70

I have been going through the error logs of a development project and found the following error (name changed to protect the guilty innocent)-

The provided anti-forgery token was meant for user "", but the current user is "admin".

This was not an especially difficult issue to reproduce-

  1. Open the application at the login page
  2. Open a second window or tab in the same browser on the same computer to the login page before logging in
  3. Login in the first window (or indeed second, the order doesn't matter)
  4. Attempt to login in the remaining login window

The stack trace is-

System.Web.Mvc.HttpAntiForgeryException (0x80004005): The provided anti-forgery token was meant for user "", but the current user is "admin". at System.Web.Helpers.AntiXsrf.TokenValidator.ValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken) at System.Web.Helpers.AntiXsrf.AntiForgeryWorker.Validate(HttpContextBase httpContext) at System.Web.Helpers.AntiForgery.Validate() at System.Web.Mvc.ValidateAntiForgeryTokenAttribute.OnAuthorization(AuthorizationContext filterContext) at System.Web.Mvc.ControllerActionInvoker.InvokeAuthorizationFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass25.b__1e(AsyncCallback asyncCallback, Object asyncState)

The login method signature is-

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model, string returnUrl)
{
...
}

This is exactly the same as the signature for the method in a internet "ASP.NET MVC 4 Web Application" templated project, which indicates that Microsoft either felt the ValidateAntiForgeryToken was necessary/best practice, or simply added the attribute here because it was used everywhere else.

Obviously there is nothing I can do to handle the problem within this method as it isn't reached, the ValidateAntiForgeryToken is a pre-request filter and it is blocking the request before it reaches the controller.

I could check if the user is authenticated via Ajax before submitting the form and attempt to redirect to them if so, or simply remove the attribute.

The question is this - I understand that the token is design to prevent requests from another site (CSRF) when the user is already authenticated against your site so on that basis is it an issue to remove it from a form which by definition will be used by unauthenticated users?

Presumably the attribute in this instance is designed to mitigate malicious actors providing fake login forms for your application (although by the time the exception is thrown presumably the user has already entered his or her details which will have been recorded - but it might alert them something is wrong). Otherwise submitting incorrect credentials to the form from an external site will result in exactly the same result as on the site itself surely? I am not relying on client validation/sanitation to clean up potentially unsafe input.

Have other devs come across this issue (or do we have unusually creative users) and if so how have you resolved/mitigated it?

Update: This issue still exists in MVC5, entirely intentionally, now with the error message "The provided anti-forgery token was meant for a different claims-based user than the current user." when using default template and Identity providers. There is a relevant question and interesting answer from Microsoft Developer Evangelist and Troy's fellow PluralSight author Adam Tuliper at Anti forgery token on login page which recommends simply removing the token.

Community
  • 1
  • 1
pwdst
  • 13,909
  • 3
  • 34
  • 50

4 Answers4

62

I've just tested this pattern on ASafaWeb with the same result (it uses the same default implementation). Here's what I believe is happening

  1. Both login forms load with the same __RequestVerificationToken cookie (it's just the same one set in the same DOM) and the same __RequestVerificationToken hidden field. These tokens are keyed to an anonymous user.
  2. Login form A posts with the above tokens, validates them then returns an auth cookie which is now in the browser DOM
  3. Login form B posts also with the above tokens but now it's also posting with the auth cookie set from login form A as well.

The problem is that the token isn't validating in step 3 because it's keyed to an anonymous user but it's being passed in the request by an authenticated user. This is why you're seeing the error: The provided anti-forgery token was meant for user "", but the current user is "admin"

You're only having this issue because form B loaded before form A posted therefore form B is expecting to be posted by an anonymous user.

Is it an issue to remove it from a form which by definition will be used by unauthenticated users?

The predominant underlying risk that anti-forgery tokens protect against is CSRF which usually takes advantage of authenticated users due to the fact that any requests their browser can be tricked into issuing will be automatically accompanied by an auth cookie hence the action will be performed on their behalf. This risk doesn't exist on the login form because usually the user isn't authenticated and the worst CSRF case here is that a login is forged and then fails; you're not exactly transferring money on the user's behalf!

There are other advantages to the anti-forgery token though: for example it prevents brute force attacks actually executing the method and hitting the DB. You need to decide if you're less worried about this and more worried about the scenario you're encountering in your question. Either that or you need to drop down into the request pipeline somewhere and take action if an auth cookie is already present in the request before the anti-forgery validation occurs.

Frankly though, I'm not sure I see the problem; to reproduce this issue the user has to have multiple login forms open at the same time and then try logging into each in succession - is this really going to happen enough to worry about? And when it does happen, does it really matter that the second login returns a custom error page (which of course you'd do in production)? IMHO, leave the default behaviour.

Troy Hunt
  • 20,345
  • 13
  • 96
  • 151
  • 1
    Thanks Troy. I understood the problem (nice straightforward message), and we do use Custom Error pages (I extracted the stack trace from logs, Elmah in this case). What I couldn't work out was the risk in removing the attribute from this method (it is used extensively for all operations that result in a change in data elsewhere in the application). The issue is that it was a sales member of staff who did this and I can easily see it happening again - although I can mitigate against that by briefing on the problem - and it doesn't look at all good to immediately hit an error in a sales demo. – pwdst Oct 01 '13 at 07:52
  • I reckon you're going to see this in less than 1 in 100 logins, it's just such an odd user pattern and while it no doubt happens, I'm betting it's extremely rare. Drop ELMAH in and let it log unhandled exceptions and you'll get a pretty good idea of the prevalence. – Troy Hunt Oct 01 '13 at 08:03
  • 4
    I agree it is niche, and described it as such to the Project Lead. The issue is that if that one in a hundred is in front of a prospect and the error is avoidable then regardless of the sales outcome we're in for criticism unless there is a strong reason to leave the attribute there. This is a typically internal only application so the brute force wins are minimal. – pwdst Oct 01 '13 at 08:10
  • I reckon if it's essential then either A) take the easy road and drop the token or B) catch the request earlier (authorisation filter?) and redirect requests with valid auth cookies. – Troy Hunt Oct 01 '13 at 08:39
  • 1
    Note that if you remove the CSRF protection from the Login page you are allowing attackers to login the user under an account they control. I have seen this been exploited when there is a persistent XSS vulnerability in a 'user controlled post-login page'. I.e. the attacker 1) logs in , 2) puts the XSS payload in a page he can edit and 3) uses CSRF requests to trigger that XSS payload on the user (then it is just a case of getting the user to login with his real account) – Dinis Cruz Oct 01 '13 at 09:28
  • 1
    @DinisCruz and Troy, I have given this careful thought over the two weeks and seen repeated exceptions caused when double requests are submitted, multiple login pages opened before login, or possibly the back button is used to return to the login page (which I have also read is a possible cause). In the context of our application, and with tokens used on all other POST methods, I have decided the risk without the token for login is minimal. Where the browser supports it though, would checking the Origin header matches the request host on the login POST reduce any risk still further? – pwdst Oct 23 '13 at 12:32
  • 7
    Just some data from the field: we experience this issue in production, and although we treat it as an edge case it happens much more often than we were expecting, multiple times every day from a relatively modest user base. FWIW I think this may be one of those cases where "average user" does things in their browser that "developer user" would never do. – centralscru Feb 26 '14 at 10:49
  • Would handling the error (`OnException`) and redirecting/displaying a page indicating they are already logged in be acceptable? I just tried and it works fine... You *could* just redirect to the homepage, avoiding an exception page, but I understand that if this exception occurs it's because either a) somebody tried to dupe them or b) they're already logged in. In either case, handling the exception, showing a friendly message, and writing a warning to the log would suffice, right? – kamranicus Jun 02 '15 at 15:24
  • I added an answer but I'm not an expert here, it was just an idea--is there something wrong with handling the error once you know the request is authenticated? – kamranicus Jun 02 '15 at 15:51
  • Is it recommended to use xsref if jwt is authentication strategy? – Nexus23 Nov 09 '17 at 14:23
13

The validation code that runs against an AntiForgeryToken also checks your logged in user credentials haven’t changed – these are also encrypted in the cookie. This means that if you logged in or out in a popup or another browser tab, your form submission will fail with the following exception:

System.Web.Mvc.HttpAntiForgeryException (0x80004005):
The provided anti-forgery token was meant for user "", but the current user is "SomeOne".

You can turn this off by putting AntiForgeryConfig.SuppressIdentityHeuristicChecks = true; in Application_Start method inside Global.asax file.

When a AntiForgeryToken doesn’t validate your website will throw an Exception of type System.Web.Mvc.HttpAntiForgeryException. You can make this a little easier by at least giving the user a more informative page targeted at these exceptions by catching the HttpAntiForgeryException.

private void Application_Error(object sender, EventArgs e)
{
Exception ex = Server.GetLastError();

if (ex is HttpAntiForgeryException)
  {
    Response.Clear();
    Server.ClearError(); //make sure you log the exception first
    Response.Redirect("/error/antiforgery", true);
  }
}
Zia Ul Mustafa
  • 301
  • 3
  • 14
  • `AntiForgeryConfig` auto-complete does not give me an option to select `SuppressIdentityHeuristicChecks`. I'm using Asp .NET Web API – DevEng Feb 21 '18 at 20:21
10

Okay, please correct me if my assumption is incorrect.

When this exception gets thrown, you would prefer to let the user continue on while also maybe displaying a relevant message/warning? Because when this exception gets thrown, we can already know if the current user is authenticated--we have access to the request.

So, why wouldn't this be acceptable?

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model, string returnUrl)
{
...
}

/// <summary>
/// Handle HttpAntiForgeryException and redirect if user is already authenticated
/// </summary>
/// <param name="filterContext"></param>
/// <remarks>
/// See: http://stackoverflow.com/questions/19096723/login-request-validation-token-issue
/// </remarks>
protected override void OnException(ExceptionContext filterContext)
{
    base.OnException(filterContext);

    var action = filterContext.RequestContext.RouteData.Values["action"] as string;
    var controller = filterContext.RequestContext.RouteData.Values["controller"] as string;

    if ((filterContext.Exception is HttpAntiForgeryException) &&
        action == "Login" &&
        controller == "MyController" &&
        filterContext.RequestContext.HttpContext.User != null &&
        filterContext.RequestContext.HttpContext.User.Identity.IsAuthenticated)
    {
        LogManager.GetCurrentClassLogger().Warn(
            "Handled AntiForgery exception because user is already Authenticated: " +
                filterContext.Exception.Message, filterContext.Exception);

        filterContext.ExceptionHandled = true;

        // redirect/show error/whatever?
        filterContext.Result = new RedirectResult("/warning");
    }
}

Am I missing something obvious here? I'll remove this answer if it has some implication I'm not seeing.

kamranicus
  • 4,207
  • 2
  • 39
  • 57
  • I prefer this solution; it is more practical. – Mojtaba Nov 01 '16 at 12:46
  • I might have found something: you might want to check that the authenticated user from the HttpContext matches the user in the LoginModel. Otherwise a login CSRF attack as discussed here: http://security.stackexchange.com/questions/2120/when-the-use-of-a-antiforgerytoken-is-not-required-needed/2126#2126 that triggers this exception will result in the already logged-in user being shown the "warning" page instead of the custom error page. That's fine, the user thought they were logging in with their own account! But your logging system will log a harmless error instead of an attack. I think. – nmit026 Jan 03 '17 at 02:19
  • @nmit026 I think you are correct. I might be able to test this scenario and see if I can add a conditional to see whether or not it can detect a CSRF for a different user and log an error instead. – kamranicus Jan 04 '17 at 16:26
-4

I had the same issue, I solved it by adding machineKey to system.web>

<machineKey validationKey="your machine key numbers" 
decryptionKey="Your description key nuumbers" validation="SHA1" decryption="AES" />

Here's a site that generate unique Machnie Keys http://www.developerfusion.com/tools/generatemachinekey/

Works great, I understand that Anti Forgery may not be needed in a Login page, but if someone is determined to hack you site, it comforting to know that [ValidateAntiForgeryToken] is there to thwart them off.

MVCdragon
  • 93
  • 2
  • 8
  • 1
    Could you please explain why adding the machinekey would solve the issue? – julealgon Oct 07 '14 at 15:52
  • 1
    This change will not fix this error as this is different than the "Cannot validate the Antiforgery Token" error that synchronized machine keys would prevent. – D-Sect Mar 12 '15 at 14:00