Hmm... I've noticed the following, which to me seems "suspicious": When logged in the the __epiXSRF cookie has the value XXX. When I log out I'm navigated to a page with the URL .../logout.aspx?__epiXSRF=XXX. However, the __epiXSRF cookie now has the value YYY. Could this "mismatch" perhaps explain our problems?
If I submit ../logout.aspx?__epiXSRF=XXX, I again get the forgery exception. But if I I submit ../logout.aspx?__epiXSRF=YYY (i.e. using the new cookie value after URL encoding it), I get to the logout page without any error. 🤔
While performing tests (using Chrome) it is quite usual that we login/logout from Episerver using different test user accounts. Prior to version 11 of the CMS, switching user was done by logging out the current user, reload the page (normal/hard/no cache) and then login again using another user account. However, after the upgrade this now results in ”The page cannot be displayed because an internal server error has occurred.”. The reason for this seem to be that the following exception is thrown: EPiServer.Framework.Web.AspNetAntiForgery.ThrowForgeryException. Is this an expected behaviour? What makes me wonder is the less than graceful handling/error message.