“取消保护会话cookie时出错”异常

Question

我有一个带有以下身份验证设置的Asp.NET MVC应用程序：

ConfigureServices()：

services.AddSession()
services.AddAuthentication(sharedOptions => sharedOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme);

Configure()：

        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
        {
            ClientId = "xx",
            Authority = "xx",
            Events = new OpenIdConnectEvents { OnRemoteFailure = this.OnAuthenticationFailed }
        });

当托管在IIS中时，一些用户会收到以下异常：

Microsoft.AspNetCore.Session.SessionMiddleware, 
      Error unprotecting the session cookie.
System.Security.Cryptography.CryptographicException: The key {9ec59def-874e-45df-9bac-d629f5716a04} was not found in the key ring.
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
   at Microsoft.AspNetCore.Session.CookieProtection.Unprotect(IDataProtector protector, String protectedText, ILogger logger)

我已经在托管服务器https://github.com/aspnet/DataProtection/blob/dev/Provision-AutoGenKeys.ps1上运行了此程序

网站只有HTTPS绑定，SSL证书可以并签名。导致此问题的原因是什么？这个"key“值到底是什么？

Answer 1

我也有同样的问题。我通过以下方式修复它：

如下所示的

• Configuring会话：https://docs.microsoft.com/en-us/aspnet/core/fundamentals/app-state?view=aspnetcore-5.0

Startup的ConfigureServices方法：

    services.AddControllersWithViews()
            .AddSessionStateTempDataProvider();

    services.AddRazorPages()
            .AddSessionStateTempDataProvider();

    services.AddSession(options =>
    {
        options.IdleTimeout = TimeSpan.FromHours(4);
        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        options.Cookie.SameSite = SameSiteMode.Strict;
        options.Cookie.HttpOnly = true;
        // Make the session cookie essential if you wish
        //options.Cookie.IsEssential = true;
    });

启动的配置方法：

        app.UseCookiePolicy();

        app.UseSession();

在浏览器中为此网站

• Deleting所有现有的cookies (或者服务器可能会尝试读取旧的cookies，即使您同时修复了问题)

Answer 2

更改以下内容的services.AddSession()：

services.AddSession(options =>
    {
        // Set a short timeout for easy testing.
        options.IdleTimeout = TimeSpan.FromMinutes(60);
        // You might want to only set the application cookies over a secure connection:
        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        options.Cookie.SameSite = SameSiteMode.Strict;
        options.Cookie.HttpOnly = true;
        // Make the session cookie essential
        options.Cookie.IsEssential = true;
    });

这应该可以解决你的问题！