Steps to reproduce:
- Ensure SAML is disabled (it prevents guest commenting)
- Place the blogs portlet on a page
- Verify that the blogs portlet allows comments (should be by default)
- Log out and navigate back to the blogs page as guest user
- Enter some comment, and click "Reply as..."
- Enter the credentials of any valid user and press "Sign In"
Expected result: You are signed in as the user and your comment is posted (with a success message)
Actual result: The saving of the comment fails due to CSRF token validation, and consequently the page is not refreshed. A page refresh reveals you are in fact logged in.
This means that in step 6 you will be able to reproduce the issue with using any SSO as well.
Reproducible on 7.0.x: f8211117fec8ed50ad6b83a086d4b46bfbd60a8f