Antiforgery (XSRF) token overwritten when opening Docs module in separate tab causes POST requests to fail #24652
Description
Is there an existing issue for this?
- I have searched the existing issues
Description
We are using ABP Web Application v9.0.4 with an Angular front end.
When a user is authenticated:
-
On Tab 1 (main application), POST requests work normally.
-
When the user opens the ABP-provided Documentation module in Tab 2, a new XSRF token is issued.
-
Returning to Tab 1, POST requests fail with an antiforgery error.
-
POST requests on Tab 1 only succeed after refreshing the tab.
Reproduction Steps
-
Log in to the main ABP web application.
-
Perform a post/put/delete request from the main app on the first tab
-
Open the Docs module in a new browser tab, e.g.: /documents/en/opt/latest
4)Return to the original tab and perform a POST/PUT/DELETE request from the main application.
Expected behavior
Opening the Documentation module should not overwrite the XSRF token used by the main application. POST requests in other tabs should continue to work without requiring a refresh.
Actual behavior
The request fails with the following error:
The provided antiforgery token was meant for a different claims-based user than the current user.
Regression?
No response
Known Workarounds
No response
Version
9.0.4
User Interface
Angular
Database Provider
EF Core (Default)
Tiered or separate authentication server
None (Default)
Operation System
Windows (Default)
Other information
No response