From 35d021237ec49ee317248312171c41388605f823 Mon Sep 17 00:00:00 2001
From: elitsa <elm@umbraco.dk>
Date: Wed, 11 Dec 2019 14:33:21 +0100
Subject: [PATCH 1/2] Added a cookie path claim on user login, so that we can
 validate requests for xsrf token

---
 .../Security/BackOfficeCookieAuthenticationProvider.cs         | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/Umbraco.Web/Security/BackOfficeCookieAuthenticationProvider.cs b/src/Umbraco.Web/Security/BackOfficeCookieAuthenticationProvider.cs
index e7aef4be03..ed6abb3fbe 100644
--- a/src/Umbraco.Web/Security/BackOfficeCookieAuthenticationProvider.cs
+++ b/src/Umbraco.Web/Security/BackOfficeCookieAuthenticationProvider.cs
@@ -41,6 +41,9 @@ namespace Umbraco.Web.Security
                     : Guid.NewGuid();
 
                 backOfficeIdentity.SessionId = session.ToString();
+
+                //since it is a cookie-based authentication add that claim
+                backOfficeIdentity.AddClaim(new Claim(ClaimTypes.CookiePath, "/", ClaimValueTypes.String, UmbracoBackOfficeIdentity.Issuer, UmbracoBackOfficeIdentity.Issuer, backOfficeIdentity));
             }
 
             base.ResponseSignIn(context);

From 0c377a05dc39adf3ab9118ce2bdd10c217579b29 Mon Sep 17 00:00:00 2001
From: elitsa <elm@umbraco.dk>
Date: Wed, 11 Dec 2019 14:34:04 +0100
Subject: [PATCH 2/2] Typo fixes

---
 .../Mvc/ValidateMvcAngularAntiForgeryTokenAttribute.cs          | 2 +-
 .../WebApi/Filters/ValidateAngularAntiForgeryTokenAttribute.cs  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Umbraco.Web/Mvc/ValidateMvcAngularAntiForgeryTokenAttribute.cs b/src/Umbraco.Web/Mvc/ValidateMvcAngularAntiForgeryTokenAttribute.cs
index 756ca7f05c..0803941a70 100644
--- a/src/Umbraco.Web/Mvc/ValidateMvcAngularAntiForgeryTokenAttribute.cs
+++ b/src/Umbraco.Web/Mvc/ValidateMvcAngularAntiForgeryTokenAttribute.cs
@@ -22,7 +22,7 @@ namespace Umbraco.Web.Mvc
             var userIdentity = filterContext.HttpContext.User.Identity as ClaimsIdentity;
             if (userIdentity != null)
             {
-                //if there is not CookiePath claim, then exist
+                //if there is not CookiePath claim, then exit
                 if (userIdentity.HasClaim(x => x.Type == ClaimTypes.CookiePath) == false)
                 {
                     base.OnActionExecuting(filterContext);
diff --git a/src/Umbraco.Web/WebApi/Filters/ValidateAngularAntiForgeryTokenAttribute.cs b/src/Umbraco.Web/WebApi/Filters/ValidateAngularAntiForgeryTokenAttribute.cs
index 0abdfb5d2f..f147a2a4cb 100644
--- a/src/Umbraco.Web/WebApi/Filters/ValidateAngularAntiForgeryTokenAttribute.cs
+++ b/src/Umbraco.Web/WebApi/Filters/ValidateAngularAntiForgeryTokenAttribute.cs
@@ -21,7 +21,7 @@ namespace Umbraco.Web.WebApi.Filters
             var userIdentity = ((ApiController) actionContext.ControllerContext.Controller).User.Identity as ClaimsIdentity;
             if (userIdentity != null)
             {
-                //if there is not CookiePath claim, then exist
+                //if there is not CookiePath claim, then exit
                 if (userIdentity.HasClaim(x => x.Type == ClaimTypes.CookiePath) == false)
                 {
                     base.OnActionExecuting(actionContext);