Ask questionsAsp.Net MVC Core: “Error unprotecting the session cookie” exception

From @skorunka on Tuesday, November 29, 2016 6:02:13 AM

I have an Asp.NET MVC application with this Authentication setup:


services.AddAuthentication(sharedOptions => sharedOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme);


		app.UseCookieAuthentication(new CookieAuthenticationOptions());
		app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
			ClientId = "xx",
			Authority = "xx",
			Events = new OpenIdConnectEvents { OnRemoteFailure = this.OnAuthenticationFailed }


When hosted in IIS, some users get this exception:

      Error unprotecting the session cookie.
System.Security.Cryptography.CryptographicException: The key {9ec59def-874e-45df-9bac-d629f5716a04} was not found in the key ring.
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
   at Microsoft.AspNetCore.Session.CookieProtection.Unprotect(IDataProtector protector, String protectedText, ILogger logger)

I have run this on the hosting server

Web has only HTTPS binding, SSL certificate is ok and signed. What might cause this issue? What actually is that "key" value?

Copied from original issue: aspnet/DataProtection#189


Answer questions vitali-karmanov

Add options.Cookie.SecurePolicy = CookieSecurePolicy.Always; to the Session options to only set application cookies over a secure connection.

services.AddSession(options => { // Set a short timeout for easy testing. options.IdleTimeout = TimeSpan.FromMinutes(60); // You might want to only set the application cookies over a secure connection: options.Cookie.SecurePolicy = CookieSecurePolicy.Always; options.Cookie.SameSite = SameSiteMode.Strict; options.Cookie.HttpOnly = true; // Make the session cookie essential options.Cookie.IsEssential = true; });

This should fix your problem!


Related questions

HTTP Error 500.31 - ANCM Failed to Find Native Dependencies hot 123
The SPA default page middleware could not return the default page '/index.html' in production application hot 102
The SPA default page middleware could not return the default page '/index.html' in production application hot 96
No DefaultChallengeScheme found from preview8 to preview9 hot 67
BadHttpRequestException: Reading the request body timed out due to data arriving too slowly hot 65
Method not found: 'Microsoft.EntityFrameworkCore.Metadata.Builders.IndexBuilder Microsoft.EntityFrameworkCore.Metadata.Builders.EntityTypeBuilder`1.HasIndex(System.Linq.Expressions.Expression`1<System.Func`2<System.__Canon,System.Object>>)'. hot 59
The library &#39;hostpolicy.dll&#39; required to execute the application was not found - AspNetCore hot 58
error CS1503: Argument 2: cannot convert from 'method group' to 'EventCallback' hot 57
Error: Invocation canceled due to the underlying connection being closed. hot 54
Unexpected end of request content k8s pod - AspNetCore hot 53
Using 'UseMvc' to configure MVC is not supported while using Endpoint Routing. To continue using 'UseMvc', please set 'MvcOptions.EnableEndpointRounting = false' inside 'ConfigureServices'. hot 50
IIS in-process hosting incorrectly throws ConnectionResetException for HTTP POST hot 47
HTTP Error 500.30 - ANCM In-Process Start Failure hot 43
Error: Server returned handshake error: Handshake was canceled. hot 43
Issue with BuildServiceProvider() in ConfigureServices() hot 42
Github User Rank List