Member session timeout doesn’t redirect to login on form submit

Aki-Gra · July 2, 2025, 3:27pm

Hi everyone,

I’m working on an Umbraco site with member authentication, and I’ve run into an issue: when a member’s session times out and they try to submit a form, the page doesn’t redirect them to the login page. Instead, it just shows an 500 error, and logs Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The provided antiforgery token was meant for a different claims-based user than the current user.

Is there a recommended way in Umbraco to automatically redirect members to the login page if their session has expired and then back to form? Any guidance or best practices would be appreciated!

Thanks in advance.

jattwood · July 3, 2025, 1:43pm

Without seeing any code it’s hard to say. My guess would be that the surface controller you are posting back to is not “projected”. Are you decorating your endpoint with the [UmbracoMemberAuthorize] attribute? If not that should do it, however it may not redirect you correctly, if not you can set an unauthorized page configuring your access denied path via CookieOptions like this:

using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Options;

namespace YOURPROJECTNAME.Core.Configuration
{
    public class ConfigureCustomMemberCookieOptions : IConfigureNamedOptions<CookieAuthenticationOptions>
    {
        public void Configure(string name, CookieAuthenticationOptions options)
        {
            if (name == IdentityConstants.ApplicationScheme || name == IdentityConstants.ExternalScheme)
            {
                Configure(options);
            }
        }

        public void Configure(CookieAuthenticationOptions options)
        {
            options.AccessDeniedPath = "/account/login";
        }
    }
}

and then in startup you can register the options:

 services.ConfigureOptions<ConfigureCustomMemberCookieOptions>();

In our U13 project we ended up creating our own attribute class that mimics [UmbracoMemberAuthorize] which inherits from

Attribute, IAuthorizationFilter

and then set various endpoints depending on specific conditions in that class.

Hope that helps!

Aki-Gra · July 8, 2025, 11:08am

Thanks for the reply!

I should’ve clarified earlier — the form is posting to the Umbraco Forms controller, and when the member session has timed out, submitting the form returns a 500 server error instead of redirecting to the login page.

jattwood · July 9, 2025, 2:44pm

You should be able to catch that specific exception and redirect to login. In your startup.cs inside the configure method:

app.UseExceptionHandler(errorApp =>
{
    errorApp.Run(async context =>
    {
        var exceptionHandlerPathFeature = context.Features.Get<Microsoft.AspNetCore.Diagnostics.IExceptionHandlerPathFeature>();
        var exception = exceptionHandlerPathFeature?.Error;

        if (exception is Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException)
        {
            // Redirect to login
            context.Response.Redirect("/login?returnUrl=" + Uri.EscapeDataString(context.Request.Path + context.Request.QueryString));
            return;
        }

        // Default error handling
        context.Response.StatusCode = 500;
        await context.Response.WriteAsync("An unexpected error occurred.");
    });
});

Aki-Gra · July 30, 2025, 2:36pm

Sorry for late reply. will this preserve form data as this issue is most affecting forms being submitted.

jattwood · August 5, 2025, 2:30pm

No the form data would not survive a redirect. If the goal is to prevent an error on logout during the submit process, this would be the only way. If a user loses their session mid-stream, then the receiving controller will reject it outright. If this happens frequently to an end user (session expiration during the process of completing a form) then you should probably lengthen the session timeout for a member, or build some type of countdown that prompts the user to refresh, etc. before their session expires.

Aki-Gra · August 6, 2025, 8:44am

Thank you for the answer.

Not sure if settings can be used to adjust session timeout.

"Umbraco": {
  "CMS": {
    "Global": {
      "ReservedUrls": "~/.well-known,",
      "ReservedPaths": "...",
      "TimeOut": "00:20:00",

Tried to change that but it didn’t take effect. Is it only for Backoffice?

jattwood · August 7, 2025, 1:16pm

Yes, that setting should control both member and user timeouts. Global Settings | Umbraco CMS

Make sure your settings are correctly nested in the Global JSON section per the docs. The setting definitely works.

Hope that helps!

Jamie