Changes to anti forgery token in CMS 6 R2 and how it broke my tests


In the project I’m currently trying to upgrade from R1 to R2 we have some integration test that test “low level” http stuff. For instance that mobile browsers get the correct mime type and that our rest api respondes with correct status codes. These tests are bascially using a WebRequest / WebResponse type of flow. After the upgrade all the tests that required login failed with various cryptic error messages. Being the, quite frankly, brilliant me that I am I quickly fired up fiddler to take a look at the request. Or I just stood and cursed until my colleagues @kalahl and @lillbra told me to take a look in fiddler. Who can remember?

Anyhoo, what became quite apparent once fiddler was running was that the login process failed and when the page the required login was visited it simply did a redirect to the login page. In our Browser class (which acts as a wrapper around WebRequest/WebResponse) we create a POST request with the needed fields so that the authentication can take place. Besides the expected field like user name and password EPi also utilize an anti forgery token to prevent tampering with the login data.

Changes between R1 and R2

As you can probably guess from the title of this post the format of this token has changed between R1 and R2. If we take a look at the html generated for /util/login.aspx we get the following:

<input type="hidden" 
  value="(value)" />
<input type="hidden" 
  value="(value)" />

Not only has the field name changed in R2, the part after the __epiAntiForgeryToken_ (bG9jYWxob3N0OjExNzcv in the example above) is somehow tied to your site url meaning it will be different for a login from http://locahost and Once this was clear updating the browser class and getting the tests to pass again was simple.