'"Error unprotecting the session cookie" exception

i have an Asp.NET MVC application with this Authentication setup:

ConfigureServices():

services.AddSession()
services.AddAuthentication(sharedOptions => sharedOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme);

Configure():

        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
        {
            ClientId = "xx",
            Authority = "xx",
            Events = new OpenIdConnectEvents { OnRemoteFailure = this.OnAuthenticationFailed }
        });

When hosted in IIS, some users get this exception:

Microsoft.AspNetCore.Session.SessionMiddleware, 
      Error unprotecting the session cookie.
System.Security.Cryptography.CryptographicException: The key {9ec59def-874e-45df-9bac-d629f5716a04} was not found in the key ring.
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
   at Microsoft.AspNetCore.Session.CookieProtection.Unprotect(IDataProtector protector, String protectedText, ILogger logger)

I have run this on the hosting server https://github.com/aspnet/DataProtection/blob/dev/Provision-AutoGenKeys.ps1

Web has only HTTPS binding, SSL certificate is ok and signed. What might cause this issue? What actually is that "key" value?

authenticationiisasp.net-core


Solution 1:[1]

I had the same issue. I fixed it by :

Startup's ConfigureServices method :

    services.AddControllersWithViews()
            .AddSessionStateTempDataProvider();

    services.AddRazorPages()
            .AddSessionStateTempDataProvider();

    services.AddSession(options =>
    {
        options.IdleTimeout = TimeSpan.FromHours(4);
        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        options.Cookie.SameSite = SameSiteMode.Strict;
        options.Cookie.HttpOnly = true;
        // Make the session cookie essential if you wish
        //options.Cookie.IsEssential = true;
    });

Startup's Configure method :

        app.UseCookiePolicy();

        app.UseSession();
  • Deleting all existing cookies in browser for this website (or the server may attempt to read old cookies, even if you fix the problem meanwhile)

Solution 2:[2]

services.AddSession(options => {
    options.IdleTimeout = TimeSpan.FromHours(12);
    options.Cookie.Name = ".yourApp.Session"; // <--- Add line
    options.Cookie.IsEssential = true;
});

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1
Solution 2 Tyler2P

Related Questions

ASP.NET: HTTP Error 500.19 – Internal Server Error 0x8007000d

The server response was: 5.7.0 Must issue a STARTTLS command first. i16sm1806350pag.18 - gsmtp

What is "AppOffline" which prevents my bot application from getting published to the IIS web server?

Getting error "403 - Forbidden: Access is denied" on browser when user is NOT administrator

Chrome WebDriver does not open when called from IIS

"There was an error while performing this operation"

Cannot establish connection to SQL Server

Is there a way to produce an alert when an IIS site goes down using Prometheus?

HTTP error 403.16 - client certificate trust issue

CSS, Images, JS not loading in IIS

Can't open web project because IIS Express is not installed (even though it is)

IIS font not applying

Testing web API service

WEBAPI not working when i add server ip address instead of name?

How to attach to IIS process (w3wp.exe) on Windows 10/IIS 10?