在 ASP.NET 内核中使用 Antiforgery 并得到错误 - 无法解密防伪令牌

Question

My ASP.Net Core MVC application have added Antiforgery middleware like below:

startup.cs

services.AddMvc();
services.AddSession();
services.AddCaching();
services.AddSession(o =>
{
  o.IdleTimeout = TimeSpan.FromMinutes(120);
});
services.AddAntiforgery();

I've added below in the view and controller

View:

<form action="/Home/Login" method="post" id="staff-login" autocomplete="off">
    @Html.AntiForgeryToken()
 ...

Controller

[HttpPost, ValidateAntiForgeryToken] 
public IActionResult Login(IFormCollection formCollection) 
{...}

The problem is users always get below when users come across different forms.

System.InvalidOperationException: The antiforgery token could not be decrypted. ---> System.Security.Cryptography.CryptographicException: The key {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} was not found in the key ring.

I found a solution which suggests setting a static pair of validation/decryption key in the web.config but it seems this solution is only for classic asp.net application. How should I do in ASP.Net core?

Answer 1

I've had exactly that error on a ASP .net core app hosted on a linux container.

From the docs it would seem if you don't meet certain criteria the keys are only persisted in the process - but that even for me was not working.

First the error occurred with the default setup.
I then added specific configuration for the keys on the filesystem:

            services.AddDataProtection()
                .PersistKeysToFileSystem(new System.IO.DirectoryInfo(@"/var/my-af-keys/"));

This also didn't fix the issue I had to set an application name:

            services.AddDataProtection()
                .SetApplicationName("fow-customer-portal")
                .PersistKeysToFileSystem(new System.IO.DirectoryInfo(@"/var/dpkeys/"));

I haven't confirmed but its possible nature of the LXC hosting means .net core cannot persist the identity of the app.

Answer 2

I've had this because I started using the application on a localhost port and then was trying to use it in docker with the same port. By then I had cookies that specified the key generated by my machine, so It wouldn't work on docker.

TL;DR clear your cookies if you ever used that domain/port from other machines.

Answer 3

What worked for me was using a new user account instead of NETWORK SERVICE as the error message included this:

System.UnauthorizedAccessException: Access to the path 'C:\\Windows\\system32\\config\\systemprofile' is denied.

Answer 4

AWS, Azure and Google Cloud have libraries to make use of their data stores.

Azure and also to make use of Redis: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/key-storage-providers?view=aspnetcore-6.0&tabs=visual-studio

AWS: https://aws.amazon.com/blogs/developer/aws-ssm-asp-net-core-data-protection-provider/

services
.AddDataProtection()
.PersistKeysToAWSSystemsManager("/App/DataProtection")
.UseCryptographicAlgorithms(
    new AuthenticatedEncryptorConfiguration
    {
        EncryptionAlgorithm = EncryptionAlgorithm.AES_256_CBC,
        ValidationAlgorithm = ValidationAlgorithm.HMACSHA256
    }
);

Answer 5

我在 azure 上运行 .net core 5 应用程序的 linux 容器中遇到了类似的问题，并以私有模式打开浏览器解决了这个问题。