Umbraco 7 custom cookies

Asked 1/12, 2014 at 4:34 Answered 20/1, 2015 at 22:54

I am running an MVC site along side Umbraco. The MVC site handles its own authentication completely separate to Umbraco, and ASP.NET Forms authentication for that matter. It sets a cookie and uses that internally to keep track of things.

Everything works fine for the most part, but if I am logged into my MVC site with the aforementioned cookie set, I try to login to the Umbraco admin section using the correct Umbraco credentials, it authenticates me and redirects me to the admin section but the WebAPI calls start to fail. The first is a call to: /umbraco/backoffice/UmbracoApi/UpdateCheck/GetCheck which returns a 417 Missing token null HTTP error response.

If I delete my custom cookie and refresh the page everything works fine.

I don't understand how my cookie can interfere with Umbraco's. It's not using ASP.NET Forms authentication or anything.

Pucka answered 1/12, 2014 at 4:34 Comment(0)

This error occurs because your request is not sending up the required angular CSRF headers + cookie. I'm not sure why this would be the case but it does seems strange if it is a fault of your custom cookie. Perhaps you can tell us some more information about your issue: Cookie name/value, steps to reproduce, specific version of Umbraco, hosting environment, etc....

Some info as to what is going on, the code that returns this error is here:

https://github.com/umbraco/Umbraco-CMS/blob/dev-v7/src/Umbraco.Web/WebApi/Filters/AngularAntiForgeryHelper.cs#L94

This is where the CSRF cookies are set:

https://github.com/umbraco/Umbraco-CMS/blob/dev-v7/src/Umbraco.Web/WebApi/Filters/SetAngularAntiForgeryTokensAttribute.cs

and this attribute is applied to two actions, one for login and one when we retrieve the current user data:

This is where the header is set in the JS:

https://github.com/umbraco/Umbraco-CMS/blob/5b9a98ad6ae9e63322c26f7b162204e34f7fcb54/src/Umbraco.Web.UI.Client/src/init.js#L11

Depending on your hosting environment/setup there has been strange reports of some firewalls stripping/changing data, for example:

http://our.umbraco.org/forum/umbraco-7/using-umbraco-7/47340-Umbraco-7-plus-ISA-Server-2006

Hopefully given the info above you might be able to pinpoint where the problem starts.

Gemmule answered 20/1, 2015 at 22:54 Comment(0)

My initial thought is that you by accident used a key value for your cookie that is reserved by Umbraco, which could result in the wrong cookie being read, causing issues. The solution to this would be to simply rename your cookie.

If this is not the case I have another theory:

HTTP requests will always include all cookies which path/domain matches the domain of the resource you are requesting. They are sorted by path length primarily, and secondarily by creation time. If Umbraco backend for some reason finds the cookie used for authentication by its index number (wouldn't even be surprised) in the list, rather than key value, your custom cookie would cause the index to shift, thus making Umbraco look at the wrong cookie

So, if renaming the cookie didn't do anything, a fun thing to try could be to set path of the cookie to the shortest possible path, which would make your browser put the cookie further down the list, so the index won't shift.

It's just a theory though, so I'm interested in hearing how it goes :)

Gramophone answered 10/12, 2014 at 11:37 Comment(3)

This is the piece in question -> github.com/umbraco/Umbraco-CMS/blob/… I see no indication that the cookies are found by an index number, sorry :) – Spondaic 20/1, 2015 at 9:50

I'm using a session in the backoffice. The moment the session is set an extra cookie is added called ASP.NET_SessionId. The cookie starts with the letter 'A' and is the first in the index. After that I also get these errors. – Rockefeller 20/1, 2015 at 10:1

@Spondaic I'm actually quite happy to hear that :) – Gramophone 20/1, 2015 at 10:10

Recommended topics

Hot tags