Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

error page from "OrchardCore.Diagnostics" module isn't presented when [ValidateAntiForgeryToken] attribute is used and validation failed #9987

Closed
lampersky opened this issue Jul 27, 2021 · 5 comments · Fixed by #10206
Closed

error page from "OrchardCore.Diagnostics" module isn't presented when [ValidateAntiForgeryToken] attribute is used and validation failed #9987

lampersky opened this issue Jul 27, 2021 · 5 comments · Fixed by #10206
Labels
bug 🐛
Milestone
1.1

Comments

@lampersky
Copy link
Contributor

lampersky commented Jul 27, 2021
edited
Loading

Describe the bug

Sometimes, when my "orchantiforgery_" cookie expires, and when login page is still opened in browser, I can't log in, because of AntiforgeryValidationException which is expected behavior, but instead of seeing error page from 'OrchardCore.Diagnostics' I see default one.

You can reproduce the issue by removing "orchantiforgery_" cookie, or by manipulating with html code.

Steps to reproduce the behavior:

  1. Make sure 'OrchardCore.Diagnostics' module is enabled,
  2. Go to 'https://try.orchardcore.net/Login',
  3. Inspect page and change value of '__RequestVerificationToken' input,
  4. Click on 'Log in',
  5. See default 400 error page.
    image

Expected behavior

This error page should be presented to the user:
image
@sebastienros
Copy link
Member

Maybe a middleware order, specific to antiforgery token.

@sebastienros sebastienros added this to the 1.0.x milestone Jul 29, 2021
@lampersky
Copy link
Contributor Author

this issue is related to this change
image

@hishamco
Copy link
Member

hishamco commented Aug 8, 2021

@deanmarcussen seems this broken after #3993

@sebastienros
Copy link
Member

@lampersky any suggestion on how to fix it? or if the order is the issue?

lampersky added a commit to lampersky/OrchardCore that referenced this issue Sep 3, 2021
@lampersky
Diagnostics module fix (OrchardCMS#9987)
4be41da
@lampersky lampersky mentioned this issue Sep 3, 2021
Merged
@lampersky
Copy link
Contributor Author

@sebastienros when you are applying filter globally it means that every controller will be affected, even our DiagnosticsController and that's why we are observing issue with app.UseStatusCodePagesWithReExecute("/Error/{0}")

The simplest way to fix this issue is just by adding [IgnoreAntiforgeryToken] attribute to DiagnosticsController.
This will prevent antiforgery token validation for re executed requests.

I've just prepared PR

lampersky added a commit to lampersky/OrchardCore that referenced this issue Sep 4, 2021
@lampersky
Diagnostics module fix (OrchardCMS#9987)
b7ab4df
sebastienros pushed a commit that referenced this issue Sep 9, 2021
@lampersky
Diagnostics module fix (#9987) (#10206)
c8484f6
@sebastienros sebastienros modified the milestones: 1.x, 1.1 Oct 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛
Projects
None yet
Milestone
1.1
Development

Successfully merging a pull request may close this issue.

Diagnostics module fix (#9987) lampersky/OrchardCore
3 participants
@sebastienros @hishamco @lampersky