Login page removes anti forgery cookie causing login to fail

Every other time the login page (/Util/Login.aspx) is loaded EPiServer 11 adds or removes the antiforgery cookie named __epiXSRF which causes every other login attempt to fail.

Steps to reproduce:

  1. Load /Util/Login.aspx, make sure the __epiXSRF cookie is set
  2. Refresh the page, notice that __epiXSRF is now being removed
  3. An attempted login will now fail because the antiforgery cookie is missing

Expected result:

Refreshing the login page should not remove the required antiforgery cookie.

Cause:

The OnLoad event on EPiServer.UI.Util.Login calls RemoveCookie on every page load but AntiForgeryValidation will only add the cookie if it is missing.

Latest version tested:

EPiServer.CMS.UI 11.2.4

#187878 Feb 05, 2018 13:52
  • Thank you for reporting this David. We're looking at it and I think it's fixed in the next release.

    #187906 Edited, Feb 06, 2018 8:18
  • Member since: 2005

    Any updates on when this will be released?

    We are experiencing the same problem in our upgraded test environment (Episerver 11 update 201) and don´t wan´t to upgrade our production environment until this bug is fixed.

    Best regards!

    #188157 Feb 13, 2018 12:28
  • This was resolved in version 11.2.5, released yesterday.

    #188167 Feb 13, 2018 14:40
  • Member since: 2017

    I've been experiencing this issue since mid January. Have not noticed the error after CMS 11.3.3 upgrade.

    #188190 Feb 14, 2018 4:40