All geek questions in one place

Umbraco 7 User Cookies

I am running an MVC site along Umbraco. The MVC site handles its own authentication, which completely separates Umbraco and ASP.NET Forms authentication. It sets a cookie and uses it internally to track everything.

Everything works fine for the most part, but if I am registered on my MVC website with the above set of cookies, I try to enter the Umbraco admin section using the correct Umbraco credentials, it authenticates me and redirects me to the administrator but the WebAPI calls start to fail. First call: /umbraco/backoffice/UmbracoApi/UpdateCheck/GetCheck , which returns a 417 Missing token null HTTP error response.

If I delete my cookie and refresh the page, everything will be fine.

I do not understand how my cookie can interfere with the operation of Umbraco. It does not use ASP.NET Forms authentication or anything else.

+5
source share
2 answers

My initial thought was that you accidentally used a key value for your cookie, which is reserved by Umbraco, which could lead to an incorrect cookie being read, which would cause problems. The solution to this is to simply rename your cookie.

If this is not the case, I have another theory:

HTTP requests will always include all cookies whose path / domain matches the domain of the requested resource. They are sorted by the length of the path in the first place, and secondly, by the time of creation. If for some reason the Umbraco backend finds that the cookie used to authenticate by its index number (not even surprised) in the list, and not by the key value, your user cookie will cause the index to shift, which causes Umbraco to look at the wrong cookies

So, if renaming the cookie did nothing, an interesting task would be to set the cookie path to the shortest path that will force your browser to place the cookie further down the list, so the index will not move.

This is just a theory, so I'm curious to know how this happens :)

+1
source

This error occurs because your request does not send the required angular CSRF + cookies headers. I am not sure why this is so, but it seems strange if this is the error of your user cookie. Perhaps you can tell us additional information about your problem: cookie name / value, steps to play, specific version of Umbraco, hosting environment, etc.

Some information about what is happening, the code returning this error is here:

https://github.com/umbraco/Umbraco-CMS/blob/dev-v7/src/Umbraco.Web/WebApi/Filters/AngularAntiForgeryHelper.cs#L94

This is where CSRF cookies are set:

https://github.com/umbraco/Umbraco-CMS/blob/dev-v7/src/Umbraco.Web/WebApi/Filters/SetAngularAntiForgeryTokensAttribute.cs

and this attribute applies to two actions, one for login and one when we retrieve the current user data:

Here the header is set in JS:

https://github.com/umbraco/Umbraco-CMS/blob/5b9a98ad6ae9e63322c26f7b162204e34f7fcb54/src/Umbraco.Web.UI.Client/src/init.js#L11

Depending on your hosting / configuration environment, there were strange messages about removing / changing firewall data, for example:

http://our.umbraco.org/forum/umbraco-7/using-umbraco-7/47340-Umbraco-7-plus-ISA-Server-2006

Hope this information is above, you can determine where the problem starts.

+1
source

Source: https://habr.com/ru/post/1208010/

More articles:


All Articles