Hi 👋
I’m currently using the latest flutter_appauth (11.0.0) in my Flutter application.
I’m facing an antiforgery (CSRF) validation issue from my ASP.NET backend. The issue only happens on Android. The same flow works perfectly on iOS.
On Android, the authentication process fails with an HTTP 400 error from the server, which is caused by antiforgery validation failure on the ASP.NET side.
What’s happening
- Login flow uses Authorization Code + PKCE.
- ASP.NET server validates antiforgery token.
- On Android, the server responds with HTTP 400 (antiforgery validation failed).
- On iOS, everything works as expected.
Important observation
This seems to be related to Chrome Custom Tabs cookie/session handling on Android.
Here’s what I noticed:
- If I clear Chrome app cache manually from device settings → login works once.
- On the second login attempt → antiforgery issue returns.
- Clearing cookies from Flutter side does not fully resolve it.
- Only clearing Chrome’s cache fixes it temporarily.
So it strongly looks like a cookie persistence or session mismatch issue in Chrome Custom Tabs.
Steps to Reproduce
- Install app on Android device
- Perform login → Works first time (after clearing Chrome cache)
- Logout
- Try login again
- Server returns HTTP 400 (antiforgery validation failure)
Expected Behavior
Authentication should consistently work without requiring manual Chrome cache clearing.
Actual Behavior
- HTTP 400 returned from ASP.NET server
- Antiforgery validation fails
- Only happens on Android
- Works fine on iOS
Environment
- Flutter version: 3.38.9
- Dart version 3.10.8
- flutter_appauth: 11.0.0
- Backend: ASP.NET (with antiforgery validation enabled)
- Android browser: Chrome (Custom Tabs)
- iOS: Works correctly
Question
Has anyone experienced antiforgery/cookie persistence issues specifically with Android Chrome Custom Tabs?
Is there a recommended way to:
- Properly clear Custom Tab cookies/session?
- Force fresh authentication session?
- Avoid Chrome-level cookie reuse?
Any guidance would be greatly appreciated 🙏
Hi 👋
I’m currently using the latest flutter_appauth (11.0.0) in my Flutter application.
I’m facing an antiforgery (CSRF) validation issue from my ASP.NET backend. The issue only happens on Android. The same flow works perfectly on iOS.
On Android, the authentication process fails with an HTTP 400 error from the server, which is caused by antiforgery validation failure on the ASP.NET side.
What’s happening
Important observation
This seems to be related to Chrome Custom Tabs cookie/session handling on Android.
Here’s what I noticed:
So it strongly looks like a cookie persistence or session mismatch issue in Chrome Custom Tabs.
Steps to Reproduce
Expected Behavior
Authentication should consistently work without requiring manual Chrome cache clearing.
Actual Behavior
Environment
Question
Has anyone experienced antiforgery/cookie persistence issues specifically with Android Chrome Custom Tabs?
Is there a recommended way to:
Any guidance would be greatly appreciated 🙏