U4-9873 - Backoffice Login - 417 missing token

Created by Rasmus Söderström 08 May 2017, 14:05:33 Updated by Steve Edson 23 Jan 2018, 11:39:33

Is duplicated by: U4-4149

Is duplicated by: U4-5158

Is duplicated by: U4-7854

Is duplicated by: CON-1243

Is duplicated by: U4-9584

Is duplicated by: U4-10068

Relates to: U4-10363

Relates to: U4-10367

Relates to: U4-10400

When logging in to the backoffice, the left sidebar does not load. Neither does it allow creating or editing nodes.

Web console outputs:

umbraco/backoffice/UmbracoApi/Section/GetSections Failed to load resource: the server responded with a status of 417 (Missing token) umbraco/backoffice/UmbracoApi/Dashboard/GetDashboard?section=content Failed to load resource: the server responded with a status of 417 (Missing token)

Reloading the window cures it.

Looking at my cookies, I'm not getting any anti-XSRF tokens until I reload. Included screen-dump of site and console.

http://issues.umbraco.org/issue/U4-5158 Feels related

Reproduced on multiple installations of Umbraco 7.2.8 in Chrome & FF Latest, and on multiple PCs.

EDIT: Problem appears to have arisen when migrating website from Windows Server 08R2 (IIS 7.5) to Windows Server 2016 (IIS 10.0). We're yet to see why this would cause an issue here.

17 Attachments

Comments

Ewan 23 May 2017, 07:32:08

We have the same issue. The problems started when we installed .Net framework 4.7 on our windows server 2012 servers. Only the sites that are build in umbraco <= 7.2.8. Umbraco 7.4 does not have the problem. We don't have umbraco 7.3 websites so couldn't test it for that version of umbraco. umbraco 7.5 and higher is also save


Tim Oldenkamp 29 May 2017, 07:40:59

Same problem here. After the installation of .NET Framework 4.7 all the websites with Umbraco <= 7.2.8 give a Failed to load resource: the server responded with a status of 417 (Missing token) after login.

Other versions (v7.3+) of Umbraco on the same server with Framework 4.7 don't have a problem. The impact on websites with Umbraco <= 7.1 and .NET Framework 4.7 are under investigation and websites with Umbraco <= 7.1 and Framework 4.6 are still working fine for now.

I will give a update for Umbraco 7.1 after the Framework 4.7 updates have been installed...


DLi 20 Jun 2017, 07:20:52

Hi. Any chance to have a fix soon ?


Tim Oldenkamp 20 Jun 2017, 09:00:20

I'm not sure it's related to the installed version of .NET Framework and/or security patches because I can't see a real pattern in the problem and OS/Framework versions.

Although I previously mentioned that we have the same issues after .NET Framework 4.7 installation this isn't quite true. We don't have .NET Framework 4.7 installed on any server but we do have problems with the missing token error that suddenly pop-up without any changes to the CMS or DLL's of the website.

The problems appear on different servers and different versions of Umbraco. But for example the same version of Umbraco on different OS and/or framework don't give the same result. Currently we have problems with versions 7.1.4, 7.2.1, 7.2.6 and 7.2.8. Umbraco versions 7.3 or up don't have any problems.

'''Summary'''

||Umbraco||OS||.NET Framework||Result|| |7.1.4 |Windows 2008R2|4.5.2|''No problems''| |7.1.4 |Windows 20012R2|4.6.1 with KB4014604 installed |417 missing token error| |7.2.1|Windows 2008R2|4.5.2|417 missing token error but not on all servers with same OS and .NET Framework| |7.2.2|Windows 2012R2|4.6.1|''No problems''| |7.2.6|Windows 2008R2|4.5.2|417 missing token error| |7.2.8|Windows 2008R2|4.5.2|417 missing token error but not on all servers with same OS and .NET Framework|

For some people the uninstall of KB4014604 is a solution but this optional update is only installed on 1 server.


Sebastiaan Janssen 22 Jun 2017, 08:02:52

I've marked a lot of related issues as duplicate and encourage you to read through them as there seems to be plenty of reason this can happen.

From those issues it looks like reasons could be:

If you have set umbracoUseSSL to true in your web.config then you MUST use the backoffice over HTTPS, else you will get this problem. Set up a redirect to always force HTTPS, here's an example redirect rule for your web.config: https://our.umbraco.org/Documentation/Reference/Security/#ssl-https

  1. U4-9584 Backoffice stops working if a cookie is set and contains one of the following characters "å", "ä" or "ö" Any cookie on the domain your using that has an invalid character in it's name could cause this problem (so it is NOT just these characters, there's more special characters that can cause this problem - a through z, period, dash and underscore should be fine, other characters are suspicious).
  2. The SetAngularAntiForgeryTokens attribute changes the XSRF-TOKEN and XSRF-V cookies which Umbraco uses: https://our.umbraco.org/forum/umbraco-7/using-umbraco-7/65380-Backend-go-crash-when-navigating-Frontend-in-same-browser#comment-232242
  3. Web API session state: https://our.umbraco.org/forum/umbraco-7/using-umbraco-7/65380-Backend-go-crash-when-navigating-Frontend-in-same-browser#comment-232333
  4. When using Forms and you have duplicate form listings UFUserFormSecurity that could cause this problem: http://issues.umbraco.org/issue/CON-1243#comment=67-34847
  5. On rare occassions proxy servers may cause this: https://stackoverflow.com/questions/11198393/the-request-failed-with-http-status-417-expectation-failed-using-web-services/11199011#11199011


Rasmus Söderström 22 Jun 2017, 12:09:50

Hi Sebastiaan, and thank you for your attention.

I'm unable to relate my issue directly to any of mentioned linked issue. I've in the screenshot attached, signed into backoffice in a private chrome tab. I'm not connected to that site, or any other Umbraco-powered site in any tab. So I doubt there's a chance of website and backoffice interfering. We are not getting any XSRF token or ASP.NET session id at all, until we reload.

No Umbraco Forms on any of our websites.

We, nor our clients, are using any proxy or VPN when connecting to websites in question.

Our investigation will continue, and it feels good to have an official eye on this aswell.


Rasmus Söderström 22 Jun 2017, 12:17:38

Missed attachment


Sebastiaan Janssen 22 Jun 2017, 12:31:22

@rs@impera.se But in your screenshot there is NO XSRF-TOKEN and XSRF-V cookies so that is why you're getting these errors. You'll have to figure out why these cookies are not being set.

Ah, I have one more suggestion to add to the list: If you have set UmbracoUseSSL to true in your web.config then you MUST use the backoffice over HTTPS, else you will get this problem. Set up a redirect to always force HTTPS, here's an example redirect rule for your web.config: https://our.umbraco.org/Documentation/Reference/Security/#ssl-https


DLi 13 Jul 2017, 08:42:11

Hi. Any chance to have it fixed ?


Sebastiaan Janssen 13 Jul 2017, 10:38:10

@DLi Tried the fixes I listed above?


Rasmus Söderström 13 Jul 2017, 10:58:25

@sebastiaan I know I'm not getting any XSRF-token. I've stated that from the start. Here I am, seeking guidence. This can't be an isolated event as there are more people experiencing the same issue lately, seemingly unprovoked.

The issue with cookies not being until we reload the browser persists. I don't know where to start looking.


Sebastiaan Janssen 13 Jul 2017, 14:22:54

Sorry all the guidance we have is in this ticket. You'll have to investigate what is going wrong in your specific environment.


Ryan O'Connor 18 Jul 2017, 03:30:04

I don't have this problem immediately but with 7.6.3 and .NET 4.6.2 it's fine until the token expires. Then I start seeing unresponsive backoffice and upon looking at the chrome console, I see the error stated above. Hard reloading the browser fixes the issue temporarily. This probably isn't related - are you guys seeing this issue immediately upon login? What about after login and then reloading the browser page?


William Lee 18 Jul 2017, 15:05:41

I am having this issue with a clean build from NuGet on one of my development machines and not on one of my others. I have changed the .net framework versions so that they are the same. Are there any other installations that Umbraco is not compatible with? The only other .net difference I can tell between the machines is that I have .net core installed on the one that does not work.

The XSRF-token is being created.


William Lee 18 Jul 2017, 15:07:47

Attaching image for my post above.


DLi 18 Jul 2017, 16:35:42

@sebastiaan no as it has been working for few years ... seems occur after a .NET update.


Sebastiaan Janssen 19 Jul 2017, 08:01:37

@williamlee@zipporah.co.uk You have an invalid cookie name there, this is your problem: StylePicker:fontsize should not include a colon.

@DLi Details of the .NET update that's causing this for you please?


DLi 20 Jul 2017, 09:18:04

@sebastiaan .NET Framework May 2017 Security and Quality Rollup (running Umbraco 7.2.8 on WS2008R2)


tracuser 20 Jul 2017, 14:02:50

Hello, I am encountering the same issue on version 7.2.4.

After deploying the site or stopping and starting the App Pool, the first time you log into the back-end the page does not load correctly. This appears to be down to requests that have failed with a 417 error. Clearing the cache with CTRL + F5 fixes the issue.

The above listed potential solutions do not seem to work for us:

*umbracoUseSSL is set to false on our testing site, and we still experience the problem when connecting over an un-secured connection. *I cannot see any invalid characters in cookie content or name (please see attached screenshots). *the text "SetAngularAntiForgeryTokens" does not appear in the solution. *We experience this error even after clearing the browser history, starting a new browser session and directly logging into the back-end without visting the front-end. *We do not use Forms and the table UFUserFormSecurity does not exist in our database *We are not operating behind a proxy

Please could you recommend any next debugging steps or fixes?

Thanks


Emil Christiansen 08 Aug 2017, 05:36:26

Having the same issues as @tracuser - on an Umbraco 7.2.1

I also checked and went through the list of possible solutions - nothing seemed to do the trick.

We have not changed anything in the solution - but the server is, of course, updated with the newest patches and Microsoft updates. So it seems like this issue could indeed be due to an update or patch as we have not changed anything else.

So, maybe the easiest, best and only solution is to upgrade Umbraco - but i still think it could be great with some kind of knowledge of where and why the problem suddenly occurs on a working Umbraco.


Emil Christiansen 09 Aug 2017, 08:04:16

FYI:

I started uninstalling 'Updates' and 'Security Updates' on the server - restarting the server between each one.

After uninstalling the "KB4024847" everything now seems to work.


Denise del Bando 09 Aug 2017, 15:43:29

same thing happening for me.

  • ssl to false
  • no invalid cookies
  • no angularantiforgery
  • nothing comes for the UFUserFormSecurity
  • no proxy
  • no KB4024847 and KB4014604
  • placing both back office and the front site on separate browsers doesn't work either using umbraco V7.6.4. We keep restarting the server and it is only a temporary fix


Denise del Bando 09 Aug 2017, 15:46:45

screenshot


Denise del Bando 09 Aug 2017, 18:33:31

sorry. I was visiting pages that didnt have the special characters thats why I couldnt replicate. after screenshare session with the client, we did have invalid cookies. so scratch what i just mentioned


Phil Dye 10 Aug 2017, 11:21:51

Adding another "me-too";

  • Umbraco v7.2.6
  • .NET Framework 4.7 on Windows Server 2012R2
  • latest Windows Updates installed, including monthly-rollup KB4034681 which supercedes some of those above
  • No XSRF-TOKEN cookie is being set on login; an F5 refresh does then set this, in the response to GET /umbraco/backoffice/UmbracoApi/Authentication/GetCurrentUser


Søren Kottal 11 Aug 2017, 13:11:08

I'm also seeing this on solutions running 7.2.x. I fixed it by upgrading. It's fixed in 7.5, so I had an easy time convincing the clients to upgrade to 7.6.x :)


J J 14 Aug 2017, 16:50:25

Adding yet another Me too!

Umbraco 7.2.4, Windows Server 2012 R2, latest updates.

Hosting 20 similar websites on same server and all suddenly got this problem. Opening Umbraco in a new tab seems to allow normal service, but only for that session.

Would love to upgrade to latest release, but clients are not going to may for my time to do so for a "bug".


Sebastiaan Janssen 30 Aug 2017, 20:04:56

As an update: two of the main causes of this issue will be fixed in the upcoming version 7.6.6:

U4-10363 417 missing token error due to invalid cookie name (this is the most common reason for this error) U4-10367 417 missing token error due to cookie being overwritten


Jostein S 06 Sep 2017, 12:54:11

Just updated to 7.6.6 via NuGet. Still get the message on backend also after deleting cookies. Tested from multiple devices. Happens on GetCheck, GetCurrentUserGravatar, GetSections and GetDashboard.

Same version works local, but not on server. Only difference I see, is that on the remote server the cookie UMB_UPDCHK is not present. Where is this value set, and how reset it?


Sebastiaan Janssen 06 Sep 2017, 14:37:55

@jostein@norbits.no

  1. 7.6.6 does not solve ALL of the possible problems
  2. Did you update ClientDependency.config? If so, please update it again, just make the version number 1 higher
  3. Check your browser, the cookies should now be prefixed with UMB-
  4. You don't need UMB_UPDCHK, nor does it influence this issue - it is the cookie for the update checker which is likely disabled on the server (<add key="umbracoVersionCheckPeriod" value="0" />)


Jostein S 07 Sep 2017, 06:34:53

@sebastiaan

I tried updating the ClientDependency.config but same problem. I have attached a screen shot of the page load with the cookies. I have tried to delete all cookies and cache, and it still happens.


Jostein S 07 Sep 2017, 06:53:43

@sebastiaan just to let you know. I did a delete of everything below AppData, when I started the site again, it triggered an upgrade again, and after that everything worked.


Sebastiaan Janssen 07 Sep 2017, 06:56:16

Interesting, I have no idea why that would've helped, but I'm glad to hear it did! :)


Jostein S 08 Sep 2017, 13:36:35

Just did a release to another production site, and same thing happened. This time I did a try and fail approach to see that folder delete did the trick. Deleting the \AppData\ClientDependency folder solved the issue for me. (The folder is re-created).


Sebastiaan Janssen 08 Sep 2017, 13:42:28

Yeah, so this is not surprising: always, always, always change the CDF version on the target environment. Always. :)

Otherwise client-side files are cached and updates don't get loaded and errors will occur. Updating the version in ClientDependency.config does exactly what you just did: it deletes and rebuilds the files in AppData/TEMP/ClientDependency.


Jostein S 08 Sep 2017, 13:47:34

@sebastiaan but in fact I did bump the clientDependency version in the ClienDependency.config file. Increased it by one, and did a hard reset of the application pool. This did nothing. Not until i deleted the folder manaully did it help.


Charles Williams 08 Sep 2017, 17:10:21

Yes, I have this same issue. The XSRF-TOKEN and XSRF-V cookies are not getting set on login. I am using 7.2.8. I have no way of upgrading at the moment because of our authentication system would take a while to get working with other Umbraco versions. It doesn't matter if I use SSL or I don't. I have to simply refresh the page and then the cookies are set, or recognized.


Sebastiaan Janssen 08 Sep 2017, 17:41:50

@charlwillia6 Well that would be incredibly surprising if they did get set, those cookies got introduced in 7.3.2: https://github.com/umbraco/Umbraco-CMS/commit/18c3345e47663a358a042652e697b988d6a380eb

So you must have a different problem, see all of the causes that we've identified listed in the comment above: http://issues.umbraco.org/issue/U4-9873#comment=67-38340


Charles Williams 08 Sep 2017, 17:46:08

@sebastiaan Well they are getting set. See my screenshot. And yes, I am using 7.2.8. I have also checked out your comments and none of those issues fix it and/or are relevant.


Sebastiaan Janssen 08 Sep 2017, 18:03:27

@charlwillia6 So which is it, they are not getting set or they are getting set? :-)

Fair enough, just tried a fresh install of 7.2.8 and: surprise! I found the applicable cookies. :-) Looks like they were actually added as early as 7.0.1 https://github.com/umbraco/Umbraco-CMS/commit/ea35ea1af5b82a5c098b473c77730ad87a7db909

But more importantly: what is your actual problem? Can you describe it in detail?


Charles Williams 08 Sep 2017, 18:18:56

@sebastiaan When logging into the backoffice, with or without the cache empty and the cookies deleted, there is no sidebar and if you click on any of the content, nothing shows up in the right frame. I am not getting any console errors. Just 417's as in red in the attached screenshot. If I refresh the page, everything goes back to normal. I just checked, but it doesn't matter if the XSRF-TOKEN and XSRF-V cookies are already there are not.


Sebastiaan Janssen 08 Sep 2017, 19:28:04

@charlwillia6 So what exactly is the problem, when you first login you always have to do a refresh? Or..?


Charles Williams 08 Sep 2017, 19:40:43

@sebastiaan Yes. If I don't refresh the page after I login I get no sidebar or right side content. If I logout and login back in, same issue. I would have to refresh the page to get a sidebar and right side content and I get the 417 errors everytime I login. If the backoffice login timeout occurs, which means if I don't logout and come back later after I have been logged out, and then I log back in, then I DO NOT have to refresh the page and my sidebar and right side content does show up. If I clear the cache and my cookies at any point and try to log back in then I get no sidebar. I get the content list, as shown in my attached screenshot on my last post, but I do not get anything except for more 417 errors if I click on any of the content items. In my case, I have a mult-site setup, so they are websites.

I am assuming that the XSRF-TOKEN and XSRF-V cookies do not get updated, or set if the cookies are not present, until after I refresh the page once I have logged in.


Sebastiaan Janssen 08 Sep 2017, 19:56:53

@charlwillia6 Unfortunately I don't recall this being a known problem in 7.2.8 and I can't find info on it. Not a lot has changed in the ValidateAngularAntiForgeryTokenAttribute class either. So the only way I see you getting to the cause of your problem is if you dig in some deeper, I just blogged some tips for doing just that here:

https://cultiv.nl/blog/help-your-favorite-open-source-project-by-helping-yourself/

If you get more info on what exactly is going wrong, it might trigger something for me that might help you out.


Charles Williams 08 Sep 2017, 20:01:20

@sebastiaan I don't understand. I am literally reporting exactly what this issue report is reporting. This issue report says it affects 7.1.3 to 7.2.8. I was basically just saying I am having this issue also.

When logging in to the backoffice, the left sidebar does not load. Neither does it allow creating or editing nodes.

Web console outputs:

umbraco/backoffice/UmbracoApi/Section/GetSections Failed to load resource: the server responded with a status of 417 (Missing token) umbraco/backoffice/UmbracoApi/Dashboard/GetDashboard?section=content Failed to load resource: the server responded with a status of 417 (Missing token)

Reloading the window cures it.

Looking at my cookies, I'm not getting any anti-XSRF tokens until I reload. Included screen-dump of site and console.

'''Reproduced on multiple installations of Umbraco 7.2.8 in Chrome & FF Latest, and on multiple PCs.'''

Also reported by @rs@impera.se. The problem like many other people have reported is that nothing changed in my project and then one day it just started happening. I don't know if it is because Azure updated .NET to 4.7, or what, but once minute it is fine, the next it isn't. This is not an isolated report only effecting me. That is seriously what this issue report is stating.


Sebastiaan Janssen 08 Sep 2017, 21:07:14

I understand that you have a problem. I have no advise for you, we have no information to help fix this problem, if you can give more info that would be great. But at this point there's absolutely nothing else I can do for you I'm afraid.

It's good that you added the info that you're running on Azure, maybe someone else on Azure has this problem and can figure out the cause.

More info is always better, keep it coming.


Charles Williams 08 Sep 2017, 21:39:56

It does happen on a local IIS server too. Not just Azure. Its not specific to Azure.


Sebastiaan Janssen 08 Sep 2017, 22:23:45

That's interesting, if you could attach a debugger and step through the Umbraco.Web.WebApi.Filters.AngularAntiForgeryHelper.ValidateHeaders method to see what might be going wrong that would be great!

Tips on how to do this in the blog post I mentioned: https://cultiv.nl/blog/help-your-favorite-open-source-project-by-helping-yourself/


Sebastiaan Janssen 11 Sep 2017, 11:02:29

@jostein@norbits.no Thanks for the feedback on the Temp folder, I've heard it happen for someone else too, so we decided it couldn't hurt to just delete the folder during the upgrade so that you don't have to do it manually.

This should be available in the next version: http://issues.umbraco.org/issue/U4-10400


Charles Williams 15 Sep 2017, 19:43:09

@sebastiaan I decided to do this fix https://our.umbraco.org/forum/using-umbraco-and-getting-started/85747-417-missing-token-suddenly-occurring-on-all-our-sites#comment-271762 by decompiling the umbraco.dll and then recompiling it, and now there are no issues. When I tried to debug Umbraco.Web.WebApi.Filters.AngularAntiForgeryHelper.ValidateHeaders, it never hit the breakpoint or stepped-in. I am not sure I was doing something wrong, but I didn't get anywhere with that. I even tried doing it on the PostLogin method.

Anyway, that post fixes the issue, so it seems as though the SetAngularAntiForgeryTokenattribute does not actually work with the PostLogin method in 7.2.8. So hopefully that helps you.


Emiel 27 Sep 2017, 12:20:21

Hey @sebastiaan, we are currently running 7.7.1 and currently having the same issues - what happens is that after a random* period of time, these 417 (missing token) errors pop up. What we have done now to fix this was to remove Umbraco + the Umbraco client from the build server, and have it restore again with a new deployment. FYI: Every release Octopus is configured to create a new directory (without temp data) and deploy the provided build package.

When pin-pointing for the exact cause for this issue, I noticed three things:

  • First we get 404 errors in the backoffice. Umbraco becomes unresponsive, After clearing cache + cookies we get the 417 missing token issue. UMB_UPDCHK cookie is not being set, UpdateCheckController.cs requires this:

(https://github.com/umbraco/Umbraco-CMS/blob/7e25501ac530cf2b3fb9f9ac3b216ef378d19f8a/src/Umbraco.Web/Editors/UpdateCheckController.cs#L19)

  • Three API calls require this token: - /UmbracoApi/UpdateCheck/GetCheck - /UmbracoApi/Section/GetSections - /UmbracoApi/Content/GetById?id=

  • Clearing cookie/cache and/or trying to navigate /Umbraco in private mode (Chrome) does not solve it. Could this relate to a value in temp data folder which then locks you out of Umbraco (some sort of session/cookie value conflict?)

  • = We suspect this is when user session ends, by default 20 minutes.

I really hope that a fix is due, as otherwise we might be forced to downgrade to a more stable version as the project is supposed to go to production in a couple of days.

Thanks!


Sebastiaan Janssen 27 Sep 2017, 12:33:31

@emiel.dorsman@poort80.nl You don't get the updatecheck cookie if you have set the versioncheck period to 0. As you can see on the next line of code that you linked to, you'll just get an empty string assigned, which is no different in older versions of Umbraco and loads of people work like this on their live environment.

So.. let's start over: First of all, this exact same setup worked for you in an older version of Umbraco apparently, which version was that? What do you see in the browser console when you get 417 errors? When you get 417 errors, make sure to inspect your cookies in the browser like many people have done in the comments above. Do you have any errors in the logs?

Finally, have you read all the comments and ruled out the problems mentioned there? This comment of mine in particular points out in which cases you might see a 417 error: http://issues.umbraco.org/issue/U4-9873#comment=67-38340


Emiel 02 Oct 2017, 06:48:01

Hey @sebastiaan, sorry for the late update, we finally found our cause: A different part of our team set up a second build server and ran jobs for several projects, including this one. We assume that some difference between Umbraco emerged with this, resulting in the 417 token conflict. We disabled the second build server for this project, let Jenkins restore the Umbraco package again and since then it has been smooth sailing for us.


Stefan Kip 05 Oct 2017, 06:38:39

We've been experiencing this issue since running Windows Update on our Windows Server 2012 R2 servers. There are 2 updates I suspect: Microsoft .NET Framework 4.7 (KB3186539) and 2017-09 Security and Quality Rollup (KB4041085). Seen this issue in umbraco v7.1.8, v7.2.0, v7.2.1 (3 instances).

I've seen posts blaming the May 2017 Quality Rollup for the .NET Framework 4.6, 4.6.1, and 4.6.2 for Windows 8.1 and Windows Server 2012 R2 (KB4014604) update, but we don't have it installed.

This is a serious issue and I'm afraid Microsoft's to blame because of the updates. However it seems to be fixed in later umbraco versions, so there might be a coding issue in these versions related to these cookies?


Sebastiaan Janssen 05 Oct 2017, 09:08:44

Just FYI for people starting to read at the bottom: one of the comments above lists the causes that we know of: http://issues.umbraco.org/issue/U4-9873#comment=67-38340

And two of the main causes have been fixed in 7.6.6: http://issues.umbraco.org/issue/U4-9873#comment=67-41421


Stefan Kip 05 Oct 2017, 09:21:06

@sebastiaan You probably refer to my comment, but the possible causes listed in http://issues.umbraco.org/issue/U4-9873#comment=67-38340 do not match the situation I'm having. Browsing straight to the back-office over HTTPS in a vanilla browser also has this issue. It seems the PostLogin call doesn't set the required XSRF cookies. With a browser refresh the GetCurrentUser endpoint is called, which does set the required cookies.

Sorry if I missed something previously in the thread, but it seems to be a non-previously described case. Just trying to help :-)


Sebastiaan Janssen 05 Oct 2017, 09:46:54

@kipusoep I was mostly referring to the people upvoting this issue, I just want to make sure that relevant comments get read.

Sure, that might be an even different problem! I know a lot of the code was update in 7.3 as well, which may have fixed some of these errors already: https://github.com/umbraco/Umbraco-CMS/commit/4dcc4807ed69b72035e4f40a9896644bfa73d6e7

You are not going to want to hear this, but you may want to consider upgrading your 3 year old CMS ;-)


Stefan Kip 05 Oct 2017, 09:51:35

@sebastiaan That's not my call to make ;-)


Charles Williams 06 Oct 2017, 13:25:58

@sebastiaan I agree, it would be great to just be able to update and have issues like this that have been fixed in later versions to just disappear. But since updating Umbraco usually breaks old versions, and when you have so much custom development laying on top of your current Umbraco project, it makes it almost near impossible to take the time to upgrade, especially if your development team is small. We used CAS and a bunch of Archetype customization, other deep customization, along with our instance of Umbraco being a very large multi-site project, that it has been near impossible to find the time to update from v7.2.8 because so many things changed after that version involving authentication and logging in. Such as this issue that definitely affects most versions before 7.2.8, but I have seen a lot of issues beyond 7.2.8 while searching Google where developers are still having the same problem under certain conditions. So admitting that there is a problem and finding what the cause of the problem is, and finding the fix for that said problem so users can implement that fix, regardless of what version of Umbraco they are using, would be the ideal thing to do. But then again, it is an open-source project, so I do understand where you are coming from too. I just don't have the time to fix all the issues with Umbraco myself along with all the issues with my website also.


Sebastiaan Janssen 07 Oct 2017, 13:47:03

@charlwillia6 I'm not sure what you are suggesting here? If we find a fix for this, to release a new patch for every single version since 7.1.3? On very rare occasions, yes, we would do that, but only if it's needed for a critical security update. We simply don't have the time to do this either. The last security update we had to release in that way took 2 full days of work for me. Imagine having to backport all kinds of random issues and it becomes impossible to get any new work done. Of course if these problems are critical to you then you can pay us for a support plan and we'll be able to hire new staff to make your wishes come true :-)


Sebastiaan Janssen 07 Oct 2017, 13:53:20

Ps. what's frustrating about this problem is that we cannot reproduce it. That's the main reason why I wrote that blog post. It pains me that we cannot fix it and it's frustrating that nobody can help fix it. It's a shame, but we'll wait patiently for someone to come up with the cause and solution for these problems, one day.


Stefan Kip 07 Oct 2017, 13:59:29

@sebastiaan I'd be happy to help, but not sure where to start. The issue was introduced by a Windows Update which makes it harder.


Ambert van Unen 11 Oct 2017, 10:00:41

We have exact same situation as @charlwillia6 mentioned in his post

When logging in to the backoffice, the left sidebar does not load. Neither does it allow creating or editing nodes. Web console outputs: umbraco/backoffice/UmbracoApi/Section/GetSections Failed to load resource: the server responded with a status of 417 (Missing token) umbraco/backoffice/UmbracoApi/Dashboard/GetDashboard?section=content Failed to load resource: the server responded with a status of 417 (Missing token)

Reloading the window cures it.

Looking at my cookies, I'm not getting any anti-XSRF tokens until I reload. Included screen-dump of site and console.

Reproduced on multiple installations of Umbraco 7.2.8 in Chrome & FF Latest, and on multiple PCs.

@sebastiaan @kipusoep We're having the exact same thing for all 7.2.8 websites on our server (about 40). The only KB update I can find that is mentioned here is KB4041085. The other updates are not installed on our server.


Charles Williams 11 Oct 2017, 11:22:07

@sebastiaan Yes, a patch would be nice. I think a patch would be the appropriate action for this particular issue since it effects multiple versions and has to do with authentication. It also did not occur until a particular Windows Update was released, which seems even more likely that a patch should be released to fix the issue.

I do not understand how you can't replicate this issue. I can take a clean installation of Umbraco 7.2.8 right now, install it on my own Windows 10 PC in a dev environment running IIS, and this issue will happen. This affects pretty much anyone running 7.2.8 and below. I am very surprised you cannot replicate this. I have also posted how I have fixed it. There is a forum post on ourumbraco.org about it where I got the fix. You would think that would help you guys look into the matter a little bit more and actually pinpoint what might be going wrong.

The fact is that this problem is critical to many people, users and developers, that are running old instances of Umbraco. Those that can upgrade have done it. Those that have installed versions of Umbraco after 7.2.8 seem to rarely have this issue. But it is not just a critical issue to me, which is why I am not even considering extra support for the issue, because this is a CRITICAL problem with the backoffice authentication, not just with my Umbraco project. Yes, you probably don't hear about it that much because other developers are using updated versions of Umbraco now, but that doesn't make it any less of an issue for those that have not. And again, I fixed the issue, so I don't need support. That fact that you are suggesting that I get support for a ISSUE (BUG) that affects almost all versions (v7.x.x) of Umbraco under 7.3 makes me feel as though you are just looking for money versus actually trying to help the Umbraco project that is open source and available freely, and the community that depends on it.

Since this is an issue tracker, I think the main point of all these comments is to establish that there is definitely an issue, it is affecting a lot of users, and a lot of those users cannot upgrade because of custom developments, and a lot of users may have a perfectly running website except for this one issue. I have noticed that a large amount of Umbraco sites are developed on version 7.2.8, and it appears that no one at Umbraco, whether they volunteer their time or not, really cares about this issue. If you do a search on ourumbraco.org, or even Google, this is an issue that affects A LOT of people.

I would love to help. I wish I had the time to break Umbraco and the Umbraco.Core down, learn every aspect of it, and become a contributing member to the Umbraco team. But I don't. I have a day job that takes up about 60 hours of my week, and I honestly just don't have the time. But if you look back on all the comments in this issue report, and other issue reports that are actually reporting the same issue, you will find lots of useful information in regards to the issue, and even possible fixes for the issue. Which is why I cannot seem to understand how you, or those on the Umbraco team cannot seem to replicate this or even remotely find a fix for it. It actually amazes me.


DLi 11 Oct 2017, 12:00:53

@charlwillia6 you wrote : "There is a forum post on ourumbraco.org about it where I got the fix". Could u please give the correct post url ? thanks.


Ambert van Unen 11 Oct 2017, 12:27:28

@DLi It's right there in his post: https://our.umbraco.org/forum/using-umbraco-and-getting-started/85747-417-missing-token-suddenly-occurring-on-all-our-sites#comment-271762


Ambert van Unen 04 Dec 2017, 14:06:25

@sebastiaan I guess no news ? ;/ Clients are still having these issues sadly..


Stefan Kip 04 Dec 2017, 14:08:46

Same here


Arjan Woldring 06 Dec 2017, 09:49:30

Same here. Deleted cookies and all was fine again.


Jesse Andrews 11 Jan 2018, 18:51:32

I've tried deleting the cookies in the past and that didn't clear up the issue for me, though I haven't tested that solution recently. I did run into this issue in chrome after upgrading from 7.6.5 to 7.7.6 and stumbled across a potential workaround. I signed into umbraco with a different browser and after coming back to chrome, the issue had disappeared. Haven't thoroughly tested this workaround, but this may help people running into this problem.


Steve Edson 23 Jan 2018, 11:39:33

I had the same issue and none of the above would fix it.

I eventually solved it by deleting the umbraco and umbraco_client folders from my main project, and copying them back from the packages -> UmbracoCMS -> UmbracoFiles folder. This immediately solved the issue.


Priority: Major

Type: Bug

State: Submitted

Assignee:

Difficulty: Normal

Category: Architecture

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.2.0, 7.1.3, 7.1.8, 7.1.9, 7.2.1, 7.2.4, 7.2.6, 7.2.8, 7.7.1

Due in version:

Sprint:

Story Points:

Cycle: