From 5f21ab414b2fda5c9db06b87c9bd6f48a10e2a2e Mon Sep 17 00:00:00 2001
From: David <david.challener@happydance.love>
Date: Mon, 6 Jan 2025 15:43:16 +0000
Subject: [PATCH] Don't change securitystamp until user created

---
 .../Controllers/BackOfficeController.cs                       | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Umbraco.Web.BackOffice/Controllers/BackOfficeController.cs b/src/Umbraco.Web.BackOffice/Controllers/BackOfficeController.cs
index e81db799c3a3..f6d7a76a488c 100644
--- a/src/Umbraco.Web.BackOffice/Controllers/BackOfficeController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/BackOfficeController.cs
@@ -230,10 +230,12 @@ public async Task<IActionResult> VerifyInvite(string invite)
 
         // sign the user in
         DateTime? previousLastLoginDate = identityUser.LastLoginDateUtc;
+        var securityStamp = identityUser.SecurityStamp;
         await _signInManager.SignInAsync(identityUser, false);
 
-        // reset the lastlogindate back to previous as the user hasn't actually logged in, to add a flag or similar to BackOfficeSignInManager would be a breaking change
+        // reset the lastlogindate and securitystamp back to previous as the user hasn't actually logged in, to add a flag or similar to BackOfficeSignInManager would be a breaking change
         identityUser.LastLoginDateUtc = previousLastLoginDate;
+        identityUser.SecurityStamp = securityStamp;
         await _userManager.UpdateAsync(identityUser);
 
         return RedirectToLogin(new { flow = "invite-user", invite = "1" });