Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi! I'm having CSRF issues and I've noticed that /self-service/login/browser is setting 3 csrf_token cookies... Is this ok or should there be just one? :cry:

Also, kratos says that expected_token is ABC, but in flow response I receive a totally different token DEF that doesn't match :&lt;

Here's what I receive from flow response:

The csrf_token is being sent in the form data, but apparently, it doesn't match...

v0.9.0-alpha.3 and this is webauthn login flow

happens right after I submit the form with email, csrf_token and method: "webauthn"

In fact, I think I've figured it out, don't waste time pls, I'll let you know later what was the issue if I manage to fix it