Security: Get message "Unexpected token <" when trying to approve content after logout

Fixed in

EPiServer.CMS.UI 10.7.0


Nov 02 2016


May 10 2017




Closed, Fixed and tested


Steps to reproduce

  1. UserA is approver of content 1, and Content is in review state.
  2. Open the site in 2 tabs of a browser: Content 1 is opening on OPE mode in both browsers.
  3. On tab 1: User logs out of site.
  4. On tab 2: User opens the option menu then clicks Approve changes.

Show dialog requiring user to log in again.

Show dialog with message "Unexpected token <"

How to apply:

If you are using the our standard Identity setup in Startup, you also need to hook up a new handler to the OnApplyRedirect on the Provider object. app.CmsOnCookieApplyRedirect...

// Use cookie authentication
            app.UseCookieAuthentication(new CookieAuthenticationOptions
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString(Global.LoginPath),
                Provider = new CookieAuthenticationProvider
                    // If the "/util/login.aspx" has been used for login otherwise you don't need it you can remove OnApplyRedirect.
                    OnApplyRedirect = cookieApplyRedirectContext =>
                        app.CmsOnCookieApplyRedirect(cookieApplyRedirectContext, cookieApplyRedirectContext.OwinContext.Get>());
                    // Enables the application to validate the security stamp when the user logs in.
                    // This is a security feature which is used when you change a password or add an external login to your account.
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(30),
                        regenerateIdentity: (manager, user) => manager.GenerateUserIdentityAsync(user))