Merge pull request #7315 from umbraco/v8/bug/3935-useractions-xsrf-validation

Adding extra validation for anti forgery tokens

src/Umbraco.Web/Mvc/ValidateMvcAngularAntiForgeryTokenAttribute.cs

@@ -22,7 +22,7 @@ namespace Umbraco.Web.Mvc
             var userIdentity = filterContext.HttpContext.User.Identity as ClaimsIdentity;
             if (userIdentity != null)
             {
-                //if there is not CookiePath claim, then exist
+                //if there is not CookiePath claim, then exit
                 if (userIdentity.HasClaim(x => x.Type == ClaimTypes.CookiePath) == false)
                 {
                     base.OnActionExecuting(filterContext);

src/Umbraco.Web/Security/BackOfficeCookieAuthenticationProvider.cs

@@ -41,6 +41,9 @@ namespace Umbraco.Web.Security
                     : Guid.NewGuid();
 
                 backOfficeIdentity.SessionId = session.ToString();
+
+                //since it is a cookie-based authentication add that claim
+                backOfficeIdentity.AddClaim(new Claim(ClaimTypes.CookiePath, "/", ClaimValueTypes.String, UmbracoBackOfficeIdentity.Issuer, UmbracoBackOfficeIdentity.Issuer, backOfficeIdentity));
             }
 
             base.ResponseSignIn(context);

src/Umbraco.Web/WebApi/Filters/ValidateAngularAntiForgeryTokenAttribute.cs

@@ -21,7 +21,7 @@ namespace Umbraco.Web.WebApi.Filters
             var userIdentity = ((ApiController) actionContext.ControllerContext.Controller).User.Identity as ClaimsIdentity;
             if (userIdentity != null)
             {
-                //if there is not CookiePath claim, then exist
+                //if there is not CookiePath claim, then exit
                 if (userIdentity.HasClaim(x => x.Type == ClaimTypes.CookiePath) == false)
                 {
                     base.OnActionExecuting(actionContext);