Error status 417 after login

LinnPower · April 8, 2025, 9:22am

got the following error after login(error msg from console in dev tools):

Failed to load resource: the server responded with a status of 417 (The required antiforgery header value "X-UMB-XSRF-TOKEN" is not present.)Understand this errorAI

angular.js:15697 Possibly unhandled rejection: {"errorMsg":"Failed to get cultures","data":{"Type":null,"Title":null,"Status":417,"Detail":null,"Instance":null,"Extensions":{"traceId":"00-93fec86bfd085f8cc8e0685a941020d4-4f64b9911dd2c6f9-00"}},"status":417,"xhrStatus":"complete"}

si25 · April 8, 2025, 9:48am

Are you using a cookie control? I’ve had a similar error when the session cookies Umbraco uses are blocked. Setting the ones in this doc to always on fixed it for me: Cookies | Umbraco CMS

LinnPower · April 8, 2025, 10:13am

no I’m not using cookie control.
and it only happens when I access my umbraco site via Redirect meaning: we have to login to a general system thats linked to our organization(similar to login in first to google of facebook) and if verified it Redirects me to the Umbraco login Page and then when I try login I get the error I mentioned above.

but when we didnt have the first login step(our private one) it worked perfectly

mistyn8 · April 8, 2025, 1:01pm

Do you have a global cookie policy set? (maybe enforced by your environment?)

var cookiePolicyOptions = new CookiePolicyOptions
{
    MinimumSameSitePolicy = SameSiteMode.Strict,
    HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always,
    Secure = CookieSecurePolicy.None,
};

app.UseCookiePolicy(cookiePolicyOptions);

We had a similar issue with 417s and 13.7.2 (but not early versions though can’t think ours was upgrading from 13.4.1) as this overrides the umbraco intended backoffice HttpOnly (required for angular to access cookies)

The HttpOnly attribute is a security feature for cookies. When a cookie is marked as HttpOnly, it means that the cookie cannot be accessed or manipulated by client-side scripts, such as JavaScript. This helps protect sensitive information, like session tokens, from being exposed to potential attacks, such as Cross-Site Scripting (XSS).

For example, if an attacker injects malicious JavaScript into a webpage, they won't be able to read or steal cookies that have the HttpOnly flag enabled. This makes it a valuable tool for enhancing the security of web applications.

We had to remove the global HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always

and set on a per cookie basis, so as not to affect the backoffice cookie

builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(option =>
    {
        option.LoginPath = new PathString("/Authentication/Login");
        option.AccessDeniedPath = new PathString("/Authentication/AccessDenied");
        option.Cookie.HttpOnly = true;
    });