Identityserver4登录ValidateAntiForgeryToken

Question

I have identityserver4 working, but I am facing an issue I don't know how to resolve. I downloaded a sample project from their GitHub repo ( https://github.com/IdentityServer/IdentityServer4.Templates ). Using their IdentityServer4InMem sample, I am able to replicate exactly what I am experiencing.

If I run the project and open two tabs with the following url: http://localhost:5000/Account/Login

If log in to tab 1, if I attempt to log in to tab 2 I get a HTTP ERROR 400. I've researched it has to do with the ValidateAntiForgeryToken, if I take off the annotation, I do not get the error. Of course I can not do that in production, so I am trying to find a solution.

Answer 1

This issue has nothing to do with Identity Server.

To use [ValidateAntiForgeryToken] you need to @html.antiforgerytoken() in .cshtml file which creates a unique token in the hidden field but in .net core you don't need to use @html helper. This hidden field's token gets generated when you make HttpGet request for the login page and then it passes when you click on login button.

In your case when you are opening two tabs in browsers it creates token on a get request. And when you login from one tab (HttpPost request) your identity gets changed from anonymous user to some valid user in that case your previous token for an anonymos user is not valid anymore and it will always give you 400 status.

This feature prevents cross-site request forgeries where it avoids any form submission after the user is authenticated.