MVC 4 provided anti-forgery token was meant for user “” but the current user is “user”

Question

I\'ve recently put Live a web application which was built using MVC 4 and Entity Framework 5. The MVC application uses

Answer 1

I had the same problem when

• User logs in
• Then on the Home Page the User hits Back Button to go back to Login
• User logs in as a different User
• This gave the exception : The provided anti-forgery token was meant for user "" but the current user is "user"

I found this was happening only in IE and I fixed it by doing a couple of things

1. Disabled output caching for the login page, because in debug mode I found that hitting the back button did not generate a new request to the Login page

2. On the login page I added a check to see if the user is already authenticated, and if so logged out the user, and then redirected to the Login page again.

   [AllowAnonymous]
   [OutputCache(NoStore=true, Location=System.Web.UI.OutputCacheLocation.None)]
   public ActionResult Login)
   {
       if (HttpContext.Request.IsAuthenticated)
       {
           WebSecurity.Logout();
           Session.Abandon();
           return RedirectToAction("Login");
       }
   
       return View();
   }