Security: Get message "Unexpected token <" when trying to approve content after logout

Fixed in

EPiServer.CMS.UI 10.7.0

Created

Nov 02 2016

Updated

May 10 2017

Area

CMS UI

State

Closed, Fixed and tested


Description

Steps to reproduce

  1. UserA is approver of content 1, and Content is in review state.
  2. Open the site in 2 tabs of a browser: Content 1 is opening on OPE mode in both browsers.
  3. On tab 1: User logs out of site.
  4. On tab 2: User opens the option menu then clicks Approve changes.

Expected:
Show dialog requiring user to log in again.

Actual:
Show dialog with message "Unexpected token <"

How to apply:

If you are using the our standard Asp.net Identity setup in Startup, you also need to hook up a new handler to the OnApplyRedirect on the Provider object. app.CmsOnCookieApplyRedirect...

// Use cookie authentication
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString(Global.LoginPath),
                Provider = new CookieAuthenticationProvider
                {
                    // If the "/util/login.aspx" has been used for login otherwise you don't need it you can remove OnApplyRedirect.
                    OnApplyRedirect = cookieApplyRedirectContext =>
                    {
                        app.CmsOnCookieApplyRedirect(cookieApplyRedirectContext, cookieApplyRedirectContext.OwinContext.Get>());
                    },
 
                    // Enables the application to validate the security stamp when the user logs in.
                    // This is a security feature which is used when you change a password or add an external login to your account.
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(30),
                        regenerateIdentity: (manager, user) => manager.GenerateUserIdentityAsync(user))
                }
            });