ASP.NET Core Identity - Invalid Token (Linux)
Question
I'm using the latest .NET Core (1.1) and EF Core to build my ASP.NET website and I also use ASP.NET Identity, and I have already published my website to Azure host and everything is working as expected there(including my Windows localhost). However now I'm switching to my own Linux(Centos 7) dedicated server with Apache, and I have the site working however I get "Invalid Token" messages when trying to reset password or confirm email.
I have checked other questions like this and solution was to encode/decode url which is sent via email, however I have did that already but it's not working still.
I also tried to copy the whole database from localhost to my server in case there was something with migrations on the Linux host, however that also did not help. All migrations are applied and other things that don't use Identity context also work.
After additional searching I have found that it might be problem with different machine keys on the host and that the security stamp is not in sync, but I don't see how could that affect me because I deploy a whole new version of my app to the server, and on localhost everything works as well on Azure hosting. Also this used to be the problem with ASP.NET MVC, not Core.
How can I even debug this issue? I have not seen anyone having this problem with the new EF Core and especially not on Linux host.
I deploy the site using the latest VS 17. I have set up Apache proxy as guided on the official .NET Core website: link
1 answers
solution1
0 ACCPTED 2017-04-21 12:08:08
Dotnet core MVC application on default saves your Authentication tokens encrypted in a cookie.
The seed/key for this encryption/decryption of the data is based on your machine key, which is different on every machine.
If you ran multiple instances of your app (load balanced) this message/error will happen when your system tries to decrypt the session cookie, created on the other machine.
On the other hand if you still have cookie information in your browser and you start hosting the website on a different host ofcouse this new host wont be able to decrypt these already existing session cookies.
I Know this because i had the same problem. You can find the source-code of session here: https://github.com/aspnet/Session/tree/dev/src/Microsoft.AspNetCore.Session
I tried this when dotnet core was not yet released and i ended up using this blog . But probably now is very outdated.
I'd advice you advice you to use an external session store instead of using the cookie as data storage. read through their documentation on how to set that up: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/app-state
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.