Open Closed

Receiving "The antiforgery cookie token and request token do not match" on Login #5148

User avatar
balessi75 created

ABP Commercial 7.2.1 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme

Hi, we are receiving the following exception in certain circumstances when a user logs in (see below for full log details)

The antiforgery cookie token and request token do not match.

So far, we only seem to have been able to replicate this in a Safari browser running on a Mac. We have not been able to replicate the issue on Chrome or Edge whether on a PC or Mac.

Steps to reproduce:

  1. Start with a clean slate by clearing the browser cache
  2. Login as a user
  3. Logout
  4. Login as the same user
  5. Logout
  6. On the third login as the same user, the user receives a HTTP 400 AN INTERNAL ERROR OCCURRED DURING YOUR REQUEST! message.
  7. From that point the user cannot login again without an exception (even if using a new tab or restarting the web browser). Additionally any invalid credentials entered causes the exception instead of the user friendly 'Invalid username or password' message.
  8. The only way for the user to login again at this point is to clear the browser cache

The above steps are very repeatable, but it is a strange sequence of events. This is the only way we can reproduce, but a few clients have reported the issue as occurring randomly.

We are using HTTPS only have not found anything in our research that seems to apply to our situation.

Any suggestions on what might be going on here and if there are any known issues and/or workarounds?

Logging Details:

2023-05-26 02:23:20.497 +00:00 [INF] Executing endpoint '/Account/Login'
2023-05-26 02:23:20.497 +00:00 [INF] Route matched with {page = "/Account/Login", area = "", action = "", controller = ""}. Executing page /Account/Login
2023-05-26 02:23:20.497 +00:00 [INF] Skipping the execution of current filter as its not the most effective filter implementing the policy Microsoft.AspNetCore.Mvc.ViewFeatures.IAntiforgeryPolicy
2023-05-26 02:23:20.498 +00:00 [INF] Antiforgery token validation failed. The antiforgery cookie token and request token do not match.
Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery cookie token and request token do not match.
   at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet)
   at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext)
   at Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.ValidateAntiforgeryTokenAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context)
2023-05-26 02:23:20.498 +00:00 [INF] Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter'.
2023-05-26 02:23:20.498 +00:00 [INF] Executing StatusCodeResult, setting HTTP status code 400

1 Answer(s)
  • User Avatar
    balessi75 created

    For anyone running into this problem, I upgraded MacOS to the latest version which also updated Safari and the issue was resolved.

Made with ❤️ on ABP v8.0.0 Updated on September 27, 2023, 12:25