Member session timeout doesn’t redirect to login on form submit

Aki-Gra · July 2, 2025, 3:27pm

Hi everyone,

I’m working on an Umbraco site with member authentication, and I’ve run into an issue: when a member’s session times out and they try to submit a form, the page doesn’t redirect them to the login page. Instead, it just shows an 500 error, and logs Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The provided antiforgery token was meant for a different claims-based user than the current user.

Is there a recommended way in Umbraco to automatically redirect members to the login page if their session has expired and then back to form? Any guidance or best practices would be appreciated!

Thanks in advance.

jattwood · July 3, 2025, 1:43pm

Without seeing any code it’s hard to say. My guess would be that the surface controller you are posting back to is not “projected”. Are you decorating your endpoint with the [UmbracoMemberAuthorize] attribute? If not that should do it, however it may not redirect you correctly, if not you can set an unauthorized page configuring your access denied path via CookieOptions like this:

using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Options;

namespace YOURPROJECTNAME.Core.Configuration
{
    public class ConfigureCustomMemberCookieOptions : IConfigureNamedOptions<CookieAuthenticationOptions>
    {
        public void Configure(string name, CookieAuthenticationOptions options)
        {
            if (name == IdentityConstants.ApplicationScheme || name == IdentityConstants.ExternalScheme)
            {
                Configure(options);
            }
        }

        public void Configure(CookieAuthenticationOptions options)
        {
            options.AccessDeniedPath = "/account/login";
        }
    }
}

and then in startup you can register the options:

 services.ConfigureOptions<ConfigureCustomMemberCookieOptions>();

In our U13 project we ended up creating our own attribute class that mimics [UmbracoMemberAuthorize] which inherits from

Attribute, IAuthorizationFilter

and then set various endpoints depending on specific conditions in that class.

Hope that helps!

Aki-Gra · July 8, 2025, 11:08am

Thanks for the reply!

I should’ve clarified earlier — the form is posting to the Umbraco Forms controller, and when the member session has timed out, submitting the form returns a 500 server error instead of redirecting to the login page.

jattwood · July 9, 2025, 2:44pm

You should be able to catch that specific exception and redirect to login. In your startup.cs inside the configure method:

app.UseExceptionHandler(errorApp =>
{
    errorApp.Run(async context =>
    {
        var exceptionHandlerPathFeature = context.Features.Get<Microsoft.AspNetCore.Diagnostics.IExceptionHandlerPathFeature>();
        var exception = exceptionHandlerPathFeature?.Error;

        if (exception is Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException)
        {
            // Redirect to login
            context.Response.Redirect("/login?returnUrl=" + Uri.EscapeDataString(context.Request.Path + context.Request.QueryString));
            return;
        }

        // Default error handling
        context.Response.StatusCode = 500;
        await context.Response.WriteAsync("An unexpected error occurred.");
    });
});