This behaviour in MVC3 or MVC4 is as designed however it is very user-unfriendly as explained above, however in production this issue needs to be solved gracefully and application needs to handle this odd situation. The solution for this problem is to create a filter that is applied to the login post that will verify if the user is logged in and take them to the correct page otherwise they will remain on the login page.
Below is the code for the filter attribute
/// <summary>
/// Handle Antiforgery token exception and redirect to customer area if the user is Authenticated
/// </summary>
public class RedirectOnError : HandleErrorAttribute
{
/// <summary>
/// Override the on exception method and check if the user is authenticated and redirect the user
/// to the customer service index otherwise continue with the base implamentation
/// </summary>
/// <param name="filterContext">Current Exception Context of the request</param>
public override void OnException(ExceptionContext filterContext)
{
if (filterContext.Exception is HttpAntiForgeryException && filterContext.HttpContext.User.Identity.IsAuthenticated)
{
// Set response code back to normal
filterContext.HttpContext.Response.StatusCode = 200;
// Handle the exception
filterContext.ExceptionHandled = true;
UrlHelper urlH = new UrlHelper(filterContext.HttpContext.Request.RequestContext);
// Create a new request context
RequestContext rc = new RequestContext(filterContext.HttpContext, filterContext.RouteData);
// Create a new return url
string url = RouteTable.Routes.GetVirtualPath(rc, new RouteValueDictionary(new { Controller = "CustomerArea", action = "Index" })).VirtualPath;
// Check if there is a request url
if (filterContext.HttpContext.Request.Params["ReturnUrl"] != null && urlH.IsLocalUrl(filterContext.HttpContext.Request.Params["ReturnUrl"]))
{
url = filterContext.HttpContext.Request.Params["ReturnUrl"];
}
// Redirect the user back to the customer service index page
filterContext.HttpContext.Response.Redirect(url, true);
}
else
{
// Continue to the base
base.OnException(filterContext);
}
}
}
This is the example of usage
[HttpPost]
**[RedirectOnError]**
[ValidateAntiForgeryToken]
public ActionResult LogOn(LogOnViewModel model, UserSessionState session, string returnUrl)
{
.....
}