search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
34.79k stars 9.83k forks source link

.Net 5 losing HttpContext #55806

Open UrbimDeveloper opened 1 month ago

UrbimDeveloper commented 1 month ago

Hello,

For a while now we are experiencing an error with the HttpContext in our platform. To be more exact the HttpContext information is being lost. Our platform uses IIS, Docker Desktop and .Net (5, 6 and 7) on a Windows Server 2022 standard.

We initially had several Docker containers running in Docker Desktop (.Net 7 APIs), but due to several issues with Docker Desktop, we decided to move most of them to IIS, leaving only one Redis container inside Docker (we use Redis to store info about permissions in our platform, but not to persist cookies).

When publishing and deploying the platform to the test server, where there is another environment with all the microservices still inside Docker, we started having problems with the application HttpContext (after some time running, the HttpContext is lost).

We have an Authentication Filter where we check the content of the HttpContext object. If the HttpContext is null we raise an error that makes the IIS AppPool of the main MVC site (where the Filter code is placed) stop.

Looking at the registry errors we just find this (not sure about the relationship with the issue):

16:35:30.284 +02:00 [Warning] [Microsoft.AspNetCore.Session.SessionMiddleware] Error unprotecting the session cookie. System.Security.Cryptography.CryptographicException: The key {bc1e3537-e07d-4056-993f-89f14e7315b3} was not found in the key ring. at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData) at Microsoft.AspNetCore.Session.CookieProtection.Unprotect(IDataProtector protector, String protectedText, ILogger logger)

We don't have any specific configuration for Microsoft.AspNetCore.DataProtection in our code.

To avoid this we have tried several solutions found on different forums without success. We've even tried deleting the keys from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, but this just causes the other environment (the one with the microservices still running inside Docker) to fail.

We can quickly reproduce the error by initializing our platform with the same user in two different browsers.

We just configure session by doing this:

services.AddSession(opts =>
{
    opts.Cookie.IsEssential = true; 
    opts.Cookie.HttpOnly = true;                
    opts.IdleTimeout = TimeSpan.FromMinutes(30); 
    opts.IOTimeout = TimeSpan.FromMinutes(30); 
});

Any idea about what is happening and how to solve it?

Thanks a lot in advance.

adityamandaleeka commented 1 month ago

Can you say more about what you mean by "the HttpContext is lost"? What exactly happens and where do you observe it? FWIW this doc is worth reviewing: https://learn.microsoft.com/en-us/aspnet/core/fundamentals/http-context?view=aspnetcore-8.0#httpcontext-access-from-a-background-thread

Crucially, HttpContext isn't thread-safe, and you shouldn't pass it around to do background work.

By the way, totally unrelated to the issue, but just curious because of how you described your services-based app, have you explored .NET Aspire?

colingreen-payroc commented 5 days ago

This is a big clue:

Error unprotecting the session cookie. System.Security.Cryptography.CryptographicException: The key {bc1e3537-e07d-4056-993f-89f14e7315b3} was not found in the key ring.

It appears that session state encryption is enabled, and that the key is changing.