Asp.Net MVC Core: “Error unprotecting the session cookie” exception

Ask questionsAsp.Net MVC Core: “Error unprotecting the session cookie” exception

From @skorunka on Tuesday, November 29, 2016 6:02:13 AM

I have an Asp.NET MVC application with this Authentication setup:

ConfigureServices():

services.AddSession()
services.AddAuthentication(sharedOptions => sharedOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme);

Configure():

		app.UseCookieAuthentication(new CookieAuthenticationOptions());
		app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
		{
			ClientId = "xx",
			Authority = "xx",
			Events = new OpenIdConnectEvents { OnRemoteFailure = this.OnAuthenticationFailed }
		});

		app.UseSession();

When hosted in IIS, some users get this exception:

Microsoft.AspNetCore.Session.SessionMiddleware, 
      Error unprotecting the session cookie.
System.Security.Cryptography.CryptographicException: The key {9ec59def-874e-45df-9bac-d629f5716a04} was not found in the key ring.
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
   at Microsoft.AspNetCore.Session.CookieProtection.Unprotect(IDataProtector protector, String protectedText, ILogger logger)

I have run this on the hosting server https://github.com/aspnet/DataProtection/blob/dev/Provision-AutoGenKeys.ps1

Web has only HTTPS binding, SSL certificate is ok and signed. What might cause this issue? What actually is that "key" value?

Copied from original issue: aspnet/DataProtection#189

aspnet/AspNetCore

Answer questions vitali-karmanov

Add options.Cookie.SecurePolicy = CookieSecurePolicy.Always; to the Session options to only set application cookies over a secure connection.

services.AddSession(options => { // Set a short timeout for easy testing. options.IdleTimeout = TimeSpan.FromMinutes(60); // You might want to only set the application cookies over a secure connection: options.Cookie.SecurePolicy = CookieSecurePolicy.Always; options.Cookie.SameSite = SameSiteMode.Strict; options.Cookie.HttpOnly = true; // Make the session cookie essential options.Cookie.IsEssential = true; });

This should fix your problem!

useful!

Related questions

HTTP Error 500.31 - ANCM Failed to Find Native Dependencies hot 123

The SPA default page middleware could not return the default page '/index.html' in production application hot 102

The SPA default page middleware could not return the default page '/index.html' in production application hot 96

No DefaultChallengeScheme found from preview8 to preview9 hot 67

BadHttpRequestException: Reading the request body timed out due to data arriving too slowly hot 65

Method not found: 'Microsoft.EntityFrameworkCore.Metadata.Builders.IndexBuilder Microsoft.EntityFrameworkCore.Metadata.Builders.EntityTypeBuilder`1.HasIndex(System.Linq.Expressions.Expression`1<System.Func`2<System.__Canon,System.Object>>)'. hot 59

The library 'hostpolicy.dll' required to execute the application was not found - AspNetCore hot 58

error CS1503: Argument 2: cannot convert from 'method group' to 'EventCallback' hot 57

Error: Invocation canceled due to the underlying connection being closed. hot 54