Bad Request error on SignOut if the cookie already expired

[ygoe]

My application (ASP.NET Core 3.1 MVC) uses cookie authentication and has a log out button. Pretty much the standard stuff. Now when the page was open long enough, the auth cookie expires. If the user then clicks on the log out button, they get a 400 Bad Request error message. Not a pleasant view. Actually, if the user is already signed out, that operation should just no-op, not fail.

Here's the code from the AccountController class:

[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Logout()
{
	if (User.Identity.IsAuthenticated)
	{
		await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
	}
	return RedirectToAction(nameof(HomeController.Index), "Home");
}

I've read somewhere else that the antiforgery token validation might be the problem here. Removing it was not recommended for "security reasons". But what do you suggest? How should this issue be resolved?

[brockallen]

The anti forgery validation used the current user's id as part of the validation. Since the request is no longer authenticated, but the anti forgery token is based on the user id of who was logged in, it fails. This is hard to support if the design of anti forgery necessitates using the user id as part of the validation.

[ygoe]

Do you happen to have any suggestions how to improve the user experience in this environment? Simply remove the ValidateAntiForgeryToken attribute from that action? What consequences would that have? Or are there other options?