ANTIFORGERY_ID_mismatch. Expecting...

[planet4]

We are using the plug in for our intranet and some other internal WP sites. In general it works fine but a few users sometimes get the error below.
We are using the Force login plug-in in order to have our users to be logged in automatically.

In would be very happy if someone could point me in the right direction to understand what is causing this error.

[ajl80]

Hi,
I am also having this issue.

[psignoret]

@andyleese @planet4 Can you please share some details on how you're hosting WordPress?

[ajl80]

its
Self Hosted
Windows Server
IIS :10.0
PHP :7.1.7
Wordpress : 5.3.2

it writes sessions to temp fine
I've tried disabling WP Super Cache plugin.
like @planet4 said, it seems to be random users.

[psignoret]

A couple more questions:

• Are you running WordPress on a single service or on multiple instance?
• Is the blog served from both HTTP and HTTPS? If yes, are you able to reproduce the issue if you try to access with http://... (but then get redirected back after sign-in to https://...)? Or vice versa?

[ajl80]

its a network setup

OK if I put http://... it seems to work, signs in to https://...
else https://... errors (but not for everyone)

[planet4]

Exactly the same issue here. Running on Ubuntu server 18.04 with apache. http is redirected to https. Just a few users gets this occasionally. WP is running in a single instance.

[Ssy3]

I just downgrade WordPress to 5.3.4 using the following plugin:
https://wordpress.org/plugins/wp-downgrade/

and everything working fine, we hope to find a solution for this issue in the newer version of Wordpress.

[Ssy3]

Create a new Azure AD app and update WordPress to the latest version.

[i-am-dan]

Not sure if it's the same issue but, make sure you are calling the 'authenticate' filter from the page it's redirecting to after getting the code. I had this issue when I signed in from another page (not wp-login) and the redirect url was set to wp-login.php.

[chris18890]

I've discovered that if your config/site has "Set-Cookie -SameSite=Strict", it will interfere with SSO & the anti-forgery ID being passed

[mmirandab]

He descubierto que si vuestro config/sitio tiene "Set-Cookie -SameSite=Strict", interferirá con SSO & el anti-falsificación ID que es pasado

How can i change this option?

[chris18890]

@mmirandab depends on how you're hosting your wesbite - if it's self-hosted/on a VPS, it's easy enough to change; for apache it's a matter of modifying the relevant "Set Header in the config file (/etc/apache2/conf-available/security.conf for apache on ubntu), & reloading/restarting apache, I'd assume other web servers like NGINX and/or other distros like debian/RHEL-based will be similar. If you're using a managed hosting package - the short answer is I dunno/it depends on the platform/provider