Login page removes anti forgery cookie causing login to fail


Every other time the login page (/Util/Login.aspx) is loaded EPiServer 11 adds or removes the antiforgery cookie named __epiXSRF which causes every other login attempt to fail.

Steps to reproduce:

  1. Load /Util/Login.aspx, make sure the __epiXSRF cookie is set
  2. Refresh the page, notice that __epiXSRF is now being removed
  3. An attempted login will now fail because the antiforgery cookie is missing

Expected result:

Refreshing the login page should not remove the required antiforgery cookie.


The OnLoad event on EPiServer.UI.Util.Login calls RemoveCookie on every page load but AntiForgeryValidation will only add the cookie if it is missing.

Latest version tested:

EPiServer.CMS.UI 11.2.4

#187878 Feb 05, 2018 13:52

    Thank you for reporting this David. We're looking at it and I think it's fixed in the next release.

    #187906 Edited, Feb 06, 2018 8:18
  • Member since: 2005

    Any updates on when this will be released?

    We are experiencing the same problem in our upgraded test environment (Episerver 11 update 201) and don´t wan´t to upgrade our production environment until this bug is fixed.

    Best regards!

    #188157 Feb 13, 2018 12:28

    This was resolved in version 11.2.5, released yesterday.

    #188167 Feb 13, 2018 14:40
  • Member since: 2017

    I've been experiencing this issue since mid January. Have not noticed the error after CMS 11.3.3 upgrade.

    #188190 Feb 14, 2018 4:40