search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.44k stars 10.02k forks source link

Error unprotecting the session cookie - ASP .NET Core 3.1.5/3.1.9 #27316

Closed xiaoliyu closed 4 years ago

xiaoliyu commented 4 years ago

I had a really weird issue. One server (Windows 2016 with IIS 10) is always logging warning message "Error unprotecting the session cookie" in windows event viewer. The IIS Pool user is in the local administrators group. I upgraded .NET Core from Runtime 3.1.5 to 3.1.9 and also rebooted server. I still got warning message but stack trace is different. Would you please to help me to identify the root cause?

.NET Core 3.1.5 warning: Category: Microsoft.AspNetCore.Session.SessionMiddleware EventId: 7 RequestId: 800000ee-0002-ef00-b63f-84710c7967bb SpanId: |df011e9-48ab24b598051c22. TraceId: df011e9-48ab24b598051c22 ParentId: Error unprotecting the session cookie. Exception: System.Security.Cryptography.CryptographicException: The provided payload cannot be decrypted because it was not protected with this protection provider. at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData) at Microsoft.AspNetCore.Session.CookieProtection.Unprotect(IDataProtector protector, String protectedText, ILogger logger)

.NET Core 3.1.9 Category: Microsoft.AspNetCore.Session.SessionMiddleware EventId: 7 RequestId: 80000026-0001-f700-b63f-84710c7967bb RequestPath: /auto/dapsso/connect/authorize/callback SpanId: |e8aba888-4e2b4c054cfdf43e. TraceId: e8aba888-4e2b4c054cfdf43e ParentId:

Error unprotecting the session cookie.

Exception: System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters. at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength) at System.Convert.FromBase64String(String s) at Microsoft.AspNetCore.Session.CookieProtection.Unprotect(IDataProtector protector, String protectedText, ILogger logger)

Tratcher commented 4 years ago

That first error is what I'd expect if you were running your app on multiple servers that weren't sharing encryption keys. Are you using multiple servers? https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/web-farm?view=aspnetcore-3.1#required-configuration

That second one is weird, it looks like the raw cookie is corrupt, it never even gets to the decryption stage. Can you share an example cookie?

xiaoliyu commented 4 years ago

@Tratcher Thanks for the quick response! Actually, I only used one server not the multiple servers. The .NET Core 3.1.9 produced the different error messsage. I attached the full request and response headers for your reference. Let me know if you need more information. Request Headers

Provisional headers are shown :authority: del1-xoa-dweb1 :method: GET :path: /auto/dapsso/connect/authorize/callback?client_id=42415689-3B1B-4797-BE0F-B89D521A92F9&redirect_uri=https%3A%2F%2Fdel1-xoa-dweb1%2Fauto%2Fccmdap%2F&response_type=code%20id_token&scope=openid%20profile%20email%20offline_access&state=OpenIdConnect.AuthenticationProperties%3Dmf7eYm4CyA4QI0aAoiQX836VLxbVm5lb12fU6QmvwuW6Ohx_zeUhR6OFWbah7THnOGqPD4Hzxmoe0MOv_TmCEj31kBi1R8CN3hh6bAxztiJI4nibFcxtgXVLo6buF3U98qgGc19fQo2jSoakd-Obbval-sqyjxHCVzFqHldzoZ65v1CVWBPPNNra6pbNEM97Wf2ZEzZznru9WPby3NWJ2rPvwcApXN3Q8JnHKQ4irBs&response_mode=form_post&nonce=637395301041361486.Y2M2ZmQ4YTUtOTM1Mi00MzYzLWI5MTQtNTNkYWM1YjdmOWI5NGY5YjA2OGMtNGVhZC00Y2I2LTg0ZjMtMjBhZmIyZDY2MmE0&x-client-SKU=ID_NET461&x-client-ver=5.6.0.0 :scheme: https accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 accept-encoding: gzip, deflate, br accept-language: en-US,en;q=0.9 cache-control: max-age=0 cookie: .DAPSSO.Antiforgery=CfDJ8EacfO6LIlVAtLjsxTG05JZoSr9s7TwZLGD90UlZl_ChIIXfF4PL1goLfHidM46w3grYClxGqegCgjc1vWQsnSPuK4v7HQB8kVnk8_8pZuqq-yMqYdFwdA3r9DYzFY4mzB8FDzBj8dbGOeMsbn0Tegk; .DAPSSO.Session=AG-gK8HVkuNItTjTOIr2pg; idsrv=CfDJ8EacfO6LIlVAtLjsxTG05JbU_oFo1Dvk645cYpuSCzKfFayDjTlCbf4Hry7j0d1Ql5-_NYN2_yeut8EID8qMcyY75847kisFPvwUeS64vzNmSRDDXSZP9o9oHBrA3etQ-xQ7SQUpsHgQw0upmiX30JwZIVa8vTwu4hcV-GyAtU5C0LJHHXxIR7DtHORnMRYfnopBATwa5mYYmc0LJ_vETF1BR_eaoLCtPVwh7OV8PRFiIhxigkyDUx1fuaym1x2n-qr0v4q5MtYxy5XyvCQ44_b575VYGwSSSWLWKEVpx8EbXl3F9X8XLHafomVIECZyJw; OpenIdConnect.nonce.oPU1fpV%2FK7KpS4t13DlRPB53E%2F6dwXWDgnXGLm13G%2FQ%3D=NlhOd2lCN2k3MkdLanVGOHNYS2pVMjZNcXIzRldqekpOQUVRZ1RlM3R1dnJHVkVtTmRyWFhTelpJbzAzVHY3TlF4Q1VsUVRPSTZFeDRIOG54ZDMxOU5qendTR1BVY2pXcFlBV2EwWGZvc3BuajRyb0tkSWdiNEJKb3ZQX2JnSzhaa1dyYldFcVVNVWc4MGFnNEloc0dzVXB0UXZWUG9teURqaEQ3Q21mdzZLZUdycVB6TXVPZVljX3pINy1kU0NZb3JEekJiUE04T3hNU2pTUlZtR0d1MmlLRUxVVXBlbXB1Wi1rZnJpZm4xSQ%3D%3D referer: https://del1-xoa-dweb1/auto/dapsso/Account/Login?ReturnUrl=%2Fauto%2Fdapsso%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3D42415689-3B1B-4797-BE0F-B89D521A92F9%26redirect_uri%3Dhttps%253A%252F%252Fdel1-xoa-dweb1%252Fauto%252Fccmdap%252F%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%2520email%2520offline_access%26state%3DOpenIdConnect.AuthenticationProperties%253Dmf7eYm4CyA4QI0aAoiQX836VLxbVm5lb12fU6QmvwuW6Ohx_zeUhR6OFWbah7THnOGqPD4Hzxmoe0MOv_TmCEj31kBi1R8CN3hh6bAxztiJI4nibFcxtgXVLo6buF3U98qgGc19fQo2jSoakd-Obbval-sqyjxHCVzFqHldzoZ65v1CVWBPPNNra6pbNEM97Wf2ZEzZznru9WPby3NWJ2rPvwcApXN3Q8JnHKQ4irBs%26response_mode%3Dform_post%26nonce%3D637395301041361486.Y2M2ZmQ4YTUtOTM1Mi00MzYzLWI5MTQtNTNkYWM1YjdmOWI5NGY5YjA2OGMtNGVhZC00Y2I2LTg0ZjMtMjBhZmIyZDY2MmE0%26x-client-SKU%3DID_NET461%26x-client-ver%3D5.6.0.0 sec-fetch-dest: document sec-fetch-mode: navigate sec-fetch-site: same-origin sec-fetch-user: ?1 upgrade-insecure-requests: 1 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36

Response headers

cache-control: no-store, no-cache, max-age=0 content-security-policy: default-src 'none'; script-src 'sha256-orD0/VhH8hLqrLxKHD/HUEMdwqX6/0ve7c5hspX5VJ8=' content-type: text/html; charset=UTF-8 date: Thu, 29 Oct 2020 01:03:42 GMT expires: Thu, 01 Jan 1970 00:00:00 GMT pragma: no-cache referrer-policy: no-referrer server: Microsoft-IIS/10.0 set-cookie: idsrv=CfDJ8EacfO6LIlVAtLjsxTG05JZti0pVHjOYXHqP6D5MpPBLbHM4UpXlzj5Kv-MTM55xuHIPki6XVpKcPPT8Kn6gXdLzWN_e237SNRH81BK4CQv9e6b0thmKmOz0VSd52Lj7CMcHcQTay__3KQED2dUj5D8y69U0-wvEBP1UE0IuiV1VES6DFYslOPe7FR8etAiKzEjl1zW7Ri5OFTaeyYyAGtXVssVxM8_GxwxV8r89-nV3m6zUhpOg6XfuSGWAOrCGqQYnH5YiFsO5X6FIn-ZTYaBYNuZYbW-tAY0P-f8QCK0GHBsMs2Mm0I9z2-dHiUA8CA; path=/auto/dapsso; secure; samesite=none; httponly status: 200 strict-transport-security: max-age=2592000 x-content-security-policy: default-src 'none'; script-src 'sha256-orD0/VhH8hLqrLxKHD/HUEMdwqX6/0ve7c5hspX5VJ8='

Tratcher commented 4 years ago

.DAPSSO.Session=AG-gK8HVkuNItTjTOIr2pg; is not what an ASP.NET session cookie should look like. You seem to be in the middle of a custom OpenIdConnect authentication flow? Is that auth handler writing a conflicting session cookie? The normal auth handlers don't use a session cookie, but that's my best guess of where this odd value is coming from.

xiaoliyu commented 4 years ago

That's the strange. On the working server, the cookie will set as the following format: .DAPSSO.Session=q6oQ8Omp1taBONiQQmoUJA; path=/; secure; samesite=none; httponly This cookie was set just after login in and it is always working on other servers but not this one. I plan to reinstall .net core and see if the issue will be addressed. Response headers cache-control: no-cache date: Thu, 29 Oct 2020 01:03:42 GMT expires: Thu, 01 Jan 1970 00:00:00 GMT location: /auto/dapsso/connect/authorize/callback?client_id=42415689-3B1B-4797-BE0F-B89D521A92F9&redirect_uri=https%3A%2F%2Fdel1-xoa-dweb1%2Fauto%2Fccmdap%2F&response_type=code%20id_token&scope=openid%20profile%20email%20offline_access&state=OpenIdConnect.AuthenticationProperties%3Dmf7eYm4CyA4QI0aAoiQX836VLxbVm5lb12fU6QmvwuW6Ohx_zeUhR6OFWbah7THnOGqPD4Hzxmoe0MOv_TmCEj31kBi1R8CN3hh6bAxztiJI4nibFcxtgXVLo6buF3U98qgGc19fQo2jSoakd-Obbval-sqyjxHCVzFqHldzoZ65v1CVWBPPNNra6pbNEM97Wf2ZEzZznru9WPby3NWJ2rPvwcApXN3Q8JnHKQ4irBs&response_mode=form_post&nonce=637395301041361486.Y2M2ZmQ4YTUtOTM1Mi00MzYzLWI5MTQtNTNkYWM1YjdmOWI5NGY5YjA2OGMtNGVhZC00Y2I2LTg0ZjMtMjBhZmIyZDY2MmE0&x-client-SKU=ID_NET461&x-client-ver=5.6.0.0 pragma: no-cache server: Microsoft-IIS/10.0 set-cookie: .DAPSSO.Session=AG-gK8HVkuNItTjTOIr2pg; path=/auto/dapsso; secure; samesite=none; httponly set-cookie: idsrv=CfDJ8EacfO6LIlVAtLjsxTG05JbU_oFo1Dvk645cYpuSCzKfFayDjTlCbf4Hry7j0d1Ql5-_NYN2_yeut8EID8qMcyY75847kisFPvwUeS64vzNmSRDDXSZP9o9oHBrA3etQ-xQ7SQUpsHgQw0upmiX30JwZIVa8vTwu4hcV-GyAtU5C0LJHHXxIR7DtHORnMRYfnopBATwa5mYYmc0LJ_vETF1BR_eaoLCtPVwh7OV8PRFiIhxigkyDUx1fuaym1x2n-qr0v4q5MtYxy5XyvCQ44_b575VYGwSSSWLWKEVpx8EbXl3F9X8XLHafomVIECZyJw; path=/auto/dapsso; secure; samesite=none; httponly status: 302 strict-transport-security: max-age=2592000

xiaoliyu commented 4 years ago

@Tratcher thanks for the clue of OpenIdConnect flow . I mistenkly used the same cookie name as OpenIdConnect Authentication required cookie. After I changed the name, the issue was fixed.