stackoom
  简体   繁体   中英

asp.net core 2.0 deployment - InvalidOperationException: The antiforgery token could not be decrypted

 原文  2018-05-31 20:31:55       c#/ asp.net/ asp.net-core

Question

Recently I developed a asp.net core 2.0 web app in my company and in debug mode works perfect, however when I deployed in our testing server into IIS and we try to execute from a client machine it ran into a problem: 

An unhandled exception occurred while processing the request.
CryptographicException: The key {0851ad3b-df33-4cf7-8c3a-5c637adaa713} was not found in the key ring.
Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, bool allowOperationsOnRevokedKeys, out UnprotectStatus status)

InvalidOperationException: The antiforgery token could not be decrypted.
Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(string serializedToken)

The problem starts when I submmit login page. I investigated links with same problems here and other blogs, but I found that has to be with ValidateAntiForgeryToken and solution is related with Microsoft.AspNetCore.DataProtection. I added nuget package Microsoft.AspNetCore.DataProtection.Redis to my project and I added in ConfigureServices of startup class following code: 

    var redis = ConnectionMultiplexer.Connect("192.168.10.151:80");
    services.AddDataProtection().PersistKeysToRedis(redis, "DataProtection-Keys");
    services.AddOptions();

Our testing server ip is 192.168.10.151, however app throws following exception: 

RedisConnectionException: It was not possible to connect to the redis server(s); to create a disconnected multiplexer, disable AbortOnConnectFail. InternalFailure on PING

¿Why it doesn't connect since is resolving in the same web app server? ¿Where is DataProtection-Keys database located?

as a workaround, I changed method by using PersistKeysToFileSystem as follows: 

services.AddDataProtection()
                .SetApplicationName("myapp-portal")
                .PersistKeysToFileSystem(new System.IO.DirectoryInfo (@"c:\ProgramData\dpkeys"));

However running app in test server 192.168.10.151, when login form is submitted, goes back to login page. Checking stdout log file, only shows:

Hosting environment: Production Content root path: C:\\inetpub\\wwwroot\\OmniPays Now listening on: http://localhost:30064 Application started. Press Ctrl+C to shut down.

Checking network messages by chrome's developers tools I noticed something:

Request URL: http://192.168.10.151/OmniPays/Account/Login Request Method: POST Status Code: 302 Found Remote Address: 192.168.10.151:80 Referrer Policy: no-referrer-when-downgrade

and then ...

Request URL: http://192.168.10.151/OmniPays/Home/Main Request Method: GET Status Code: 302 Found Remote Address: 192.168.10.151:80 Referrer Policy: no-referrer-when-downgrade

AccountController's Login action redirect request to HomeController's Main action only if authentication succeded, and Main action has [Authorize] attribute. For some reasons I can't achieve understand, Main action fails and return to Login page. URL in chrome shows: http://192.168.10.151/OmniPays/Account/Login?ReturnUrl=%2FOmniPays%2FHome%2FMain

I'm using Microsoft Identity. In debug mode works fine and if I deploy app in my local PC on IIS also works fine. ¿Maybe any SDK is missing in the server?

Please need help!!

1 answers

solution1
 2  2018-06-05 16:45:55

Solution was found! the cause of problem was not in IIS neither the Server, connection to the server is using http rather than https, no certifies involved to validate secure connection, however testing in differents servers app works ok, so I felt really disappointed. Solution was to remove cookies an any data related with this URL pointing to Development Server (failing) in all browsers, data that was previously stored, and voila!!, now app works perfect. By default, as bhmahler comments data protection is made in memory and I left configuration by default, I mean, not explicitly persistence in redis nor PersistKeysToFileSystem and works fine, however is important to set DataProtection to strong data sensitive protection.

I'm newbie about these topics and It's unbelievable such a simple thing caused on me that waste of time. Thanks to all!.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using Antiforgery in ASP.NET Core and got error - the antiforgery token could not be decrypted Antiforgery cookie in ASP.NET Core 2.0 An exception was thrown while deserializing the token.The antiforgery token could not be decrypted in .Net Core 2.2 application Kubernetes + Redis: The antiforgery token could not be decrypted ASP.Net Core Antiforgery, Angular and IFRAMES Using ASP.NET Core 6 Web API Antiforgery Token in extern consumer (App) without Authentication Send post ajax request with antiforgery token in asp.net core do not access controller method ASP.NET Core 3.1 URL link to page that requires authorisation giving error Antiforgery token validation failed ASP.NET Core WebAPI: Validation of the provided antiforgery token failed. The cookie token and the request token were swapped Correct usage of AntiForgery token in ASP.NET 5 in SPA application?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM