Base solution for your next web application
Open Closed

The antiforgery token could not be decrypted after session timeout #9697


User avatar
0
ashvinu created
  • What is your product version? 8.6
  • What is your product type (Angular or MVC)? MVC and Jquery
  • What is product framework type (.net framework or .net core)? .Net core

Hello,

I have enabled the session timeout settings and set the value to 15minutes. After 15minutes of inactivity, I am redirected back to the login page. When I try to login again, I get an error and it says error detail not provided by the server. I get the following from the logs:

ERROR 2020-09-15 15:58:01,046 [60   ] spNetCore.Antiforgery.DefaultAntiforgery - An exception was thrown while deserializing the token.
Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted.
 ---> System.Security.Cryptography.CryptographicException: The key {b8f7b4e7-46d4-4309-8d00-f21ad7e8583d} was not found in the key ring.
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
   at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
   at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)

I have configured data protection as per Microsoft documentation available at https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-3.1#data-protection and I see the key is being stored at %LOCALAPPDATA%/ASP.NET/DataProtection-Keys folder on the IIS server. I have alspo implemented Distributed SQL server cache (https://docs.microsoft.com/en-us/aspnet/core/performance/caching/distributed?view=aspnetcore-3.1#distributed-sql-server-cache) but error keeps on popping up.

Note that the issue happens intermittently and the error goes away if I refresh the browser and try to login again.

Is there a way that I can refresh the browser automatically when the user is logged out when his session times out?

Thanks Kirtee


2 Answer(s)
  • User Avatar
    0
    ashvinu created

    Hi, is there a way I can clear the cookie from the browser when the user is logged out on session timeout? Alternatively, what is the equivalent of Session.Abandon(); in ASP.Net Zero?

    Thanks and Regards

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @ashvinu

    The cookie must be deleted when the user is logged out. We are directly using ASP.NET's Identity. Could you check that ?

    Alternatively, what is the equivalent of Session.Abandon(); in ASP.Net Zero?

    You can use it as you do in a regular ASP.NET Core application, AspNet Zero doesn't have a special implementation.