search

OrchardCMS / Orchard

Orchard is a free, open source, community-focused Content Management System built on the ASP.NET MVC platform.
https://orchardproject.net
BSD 3-Clause "New" or "Revised" License
2.37k stars 1.12k forks source link

Exception for wrong antiforgery token #8425

Open MatteoPiovanelli-Laser opened 3 years ago

MatteoPiovanelli-Laser commented 3 years ago

https://github.com/OrchardCMS/Orchard/blob/0a411994516f211c87783dd84f6642fde887fc2c/src/Orchard/Mvc/AntiForgery/AntiForgeryAuthorizationFilter.cs#L33

"Anti forgery token is meant for user “” but the current user is “username”"

It's pretty easy to generate this exception.

Open the logon form to a tenant on two different browser windows/tabs. Login from one. Once that is done, login again from the other.

This exception side steps the "normal" management where the user should be redirected to an ErrorPage ("oops something went wrong").

I was thinking that rather than just let that exception bubble up, we should set the Result property of the FilterContext there with a default one. Ideally something aware of tenants and theme, so it looks and behaves from the user's point of view like the ErrorPage

sebastienros commented 3 years ago

Risky area to deal with. Try something simple, if you think it's worth.

MatteoPiovanelli-Laser commented 3 years ago

There are a few mitigation steps we take to decrease the likelihood of this happening, but I'd still rather this be handled in a tenant-aware way.

One complexity I see off the top of my head is that this filter is in Orchard Framework, while all default shapes are above that in Orchard Core.