Open Closed

Antiforgery token mismatch on email verification #9343

User avatar
0
lba created

We're having a problem with antiforgery when trying to verify a users email (under "/Account/Manage" -> Personal info).

The value of XSRF-TOKEN is added to request headers as value for RequestVerificationToken

But the application responds with an error and logs a warning "The antiforgery cookie token and request token do not match".

Upon retrying to request email verification, everything works as expected.

Previously, we configured AbpAntiForgeryOptions as follows:

Configure<AbpAntiForgeryOptions>(options =>
{
    options.TokenCookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;
    options.TokenCookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
});

Without the above code, RequestVerificationToken would not get added to request headers and email verification did not work at all.

Interestingly, the problem exists only in production environment. No errors occur in development environment.

We look forward to any input on this matter.

Go to accepted answer
2 Answer(s)
  • User Avatar
    0
    EngincanV created
    Support Team .NET Developer

    Hi, setting SameSite as None is the default option (https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpAntiForgeryOptions.cs#L53-L60). So, you can leave it as it is for cross-site access.

    As far as I understand, after the first request you are able to get the verification code. So, it seems by the time your JS reads XSRF-TOKEN and adds it to the header, the browser hasn't yet attached the freshly issued cookie to the request, so the tokens don't match. On your retry, the cookie is already present and everything works as expected.

    Maybe you can apply the followings:

    1. Set samesite as Lax: SameSite.Lax instead of SameSite.None (With None+Secure, some browsers hold off on sending the cookie until after a round-trip establishes that the site is “good.” This can cause the delay maybe)
    2. Apply forwarded headers:
                Configure<ForwardedHeadersOptions>(options =>
            {
                options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
            });

    Regards.

  • User Avatar
    0
    lba created

    Hello EngincanV,

    setting SameSite to something other than "None" resolved our issue. Thanks!

    1
Assignee
No one
Question details
Labels
None yet
Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v9.3.0-preview. Updated on June 13, 2025, 11:37