解密表单 cookie 时出现“加密操作期间发生错误”

Question

I've uploaded my website to a webhosting and this error came up;
' Error occurred during a cryptographic operation .'.

I've done some research and it seems that the formauthenticated cookie is bound to the MachineKey (which differs when using webhost).

I've found a method that should fix this problem but the error remains.

CODE:

/// <summary>
    /// This method removes a cookie if the machine key is different than the one that saved the cookie;
    /// </summary>
    protected void Application_Error(object sender, EventArgs e)
    {
        var error = Server.GetLastError();
        var cryptoEx = error as CryptographicException;
        if (cryptoEx != null)
        {
            FederatedAuthentication.WSFederationAuthenticationModule.SignOut();
            Global.Cookies.FormAuthenticated Cookie = new Global.Cookies.FormAuthenticated();
            Cookie.Delete();
            Server.ClearError();
        }
    }

STACKTRACE:

[CryptographicException: Error occurred during a cryptographic operation.]
   System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.HomogenizeErrors(Func`2 func, Byte[] input) +115
   System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.Unprotect(Byte[] protectedData) +59
   System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket) +9824926
   Archive_Template.Main.resolveLoginUser(String sessionKey) in f:\Archive_Template\Archive_Template\Main.aspx.cs:481
   Archive_Template.Main.OnPreInit(EventArgs e) in f:\Archive_Template\Archive_Template\Main.aspx.cs:52
   System.Web.UI.Page.PerformPreInit() +31
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +335

Answer 1

对于尚未解决问题的任何人，我在 web.config 中缺少用于加密/解密的“machineKey”条目

Answer 2

I faced the same problem. I just cleared all of browser's cookies and cache data and it got fixed.I hope it will work for you too.

Answer 3

If you are using forms auth. you can signout when you catch the exception and allow your users to login and create a valid cookie

catch (CryptographicException cex)
{
    FormsAuthentication.SignOut();
}

Answer 4

This is due to the machine key is missing, which is used as a symmetric key to do the encryption and decryption.

To set the machine in the IIS;

Go to your application -> Machine Keys -> Generate Keys

Answer 5

我也有这个，我从数据库中删除了 UserTokenCaches 表条目。

Answer 6

另一种选择是从浏览器设置中清除 cookie，这允许存储新的 cookie。

Answer 7

I have also experienced this when developing a new solution and running the website on localhost. Setting the machinekey made no difference, but simply deleting all the cookies for localhost solved the problem.

Answer 8

I ran into this problem when I tried to take a forms authentication cookie created by an ASP.NET 2.0 app and decrypt it inside an .NET4.5 Web API project. The solution was to add an attribute called "compatibilityMode" to the "machineKey" node inside my web api's web.config file:

<machineKey 
...
compatibilityMode="Framework20SP2"/>

Documentation: https://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode.aspx

And from the doc, here are the allowed values for that attribute:

• Framework20SP1 . This value specifies that ASP.NET uses encryption methods that were available in versions of ASP.NET earlier than 2.0 SP2. Use this value for all servers in a web farm if any server has a version of the .NET Framework earlier than 2.0 SP2. This is the default value unless the application Web.config file has the targetFramework attribute of the httpRuntime element set to "4.5".
• Framework20SP2 . This value specifies that ASP.NET uses upgraded encryption methods that were introduced in the .NET Framework 2.0 SP2. Use this value for all servers in a web farm if all servers have the .NET Framework 2.0 SP2 or later but at least one does not have the .NET Framework 4.5.
• Framework45 . Cryptographic enhancements for ASP.NET 4.5 are in effect. This is the default value if the application Web.config file has the targetFramework attribute of the httpRuntime element set to "4.5".

Answer 9

       protected void Application_Error(object sender_, CommandEventArgs e_)
    {
        Exception exception = Server.GetLastError();
        if(exception is CryptographicException)
        {
            FormsAuthentication.SignOut();
        }
    }

in your Global.asax.cs, from Catching errors in Global.asax , as long as you use Forms authentication (login/password). Worked for me.

Answer 10

If you receive this error when implementing single sign on (as described here http://www.alexboyang.com/2014/05/28/sso-for-asp-net-mvc4-and-mvc5-web-apps-shared-the-same-domain/ ), make sure to have the same target framework across all projects. I had one project with .NET 4.0 and the other on .NET 4.5.2.

Changing the first one to 4.5.2 fixed the issue for me.

Answer 11

I was getting crypto errors when validating the AntiForgery token.

I believe it was because I had just made some security control configuration changes to my server to configure application recycling to recycle when Virtual Memory limits hit 1,000,000 Kilobytes.

This was definitely way too little for virtual memory recycling. Private memory usage can be set to 1,000,000 KB, but virtual memory should be given a lot more space.

I noticed my application was recycling much too often.

I increased the Virtual Memory limit to 10,000,000 KB and those errors went away. I believe the application pool may have been recycling as I was filling out the form.

Answer 12

I had the same issue: MVC 5 ASP.Net Web Application .net Framework 4.6.1

Solution:

1. Go to App_Data folder (Solution explorer)
2. Double click in your NAME.mdf (this action open Server Explorer Tab)
3. Right click on UserTokenCaches table and view Show Table Data
4. Delete the row
5. Run app again and everything will be ok

Answer 13

对我来说，是<httpRuntime targetFramework="4.7.2"/>导致了兼容性问题。我的应用程序没有在网络中的<httpRuntime targetFramework="4.7.2"/>中使用 targetFramework="4.7.2" 参数.config 而 webApi 正在使用<httpRuntime targetFramework="4.7.2"/>从 WebApi 中删除参数或在应用程序中添加参数就可以了。

Answer 14

I had this problem when somebody decided to change the encryption algorithm to DES (a very old standard of encryption). Moving it back to AES (a more modern encryption standard) cleared the error.

Might have been something to do with Group Policy disabling DES...

The encryption algorithm is hidden in the Machine Key section (with IIS). There's probably a way of setting it in the web.config also.