我们正在使用WIF身份验证,并且我们遇到一个问题,即用户cookie处于错误状态时会出现问题。抛出的异常是:
System.InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ---> System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.
at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
at System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded)
--- End of inner exception stack trace ---
at System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded)
at System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound)
at System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver)
at System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver)
at System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie)
at System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken)
at System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
快速解决此问题的方法是清除Cookie或在其他浏览器中打开或以私密/隐身模式打开。但理想情况下,我们可以告诉IIS将 now 之前的所有Cookie视为已过期。这将迫使重新认证,每个人都可以继续他们的快乐方式。回收应用程序池并没有帮助。
想法?
编辑:我不能肯定地说,但我认为大多数时候我们看到这个问题是因为我们不得不重新启动服务器。答案 0 :(得分:2)
我们在这里使用
public class CryptographicErrorModule : IHttpModule
{
/// <summary>
/// You will need to configure this module in the Web.config file of your
/// web and register it with IIS before being able to use it. For more information
/// see the following link: http://go.microsoft.com/?linkid=8101007
/// </summary>
#region IHttpModule Members
public void Dispose()
{
//clean-up code here.
}
public void Init(HttpApplication context)
{
context.Error += ContextOnError;
}
private void ContextOnError(object sender, EventArgs eventArgs)
{
var context = HttpContext.Current;
if (context == null)
return;
var error = context.Server.GetLastError();
var cryptoError = error as CryptographicException;
if (cryptoError == null && error.InnerException is CryptographicException)
cryptoError = error.InnerException as CryptographicException;
if (cryptoError == null)
return;
if (context.Request.Cookies["CryptoErrorOccured"] != null)
return;
context.Response.Cookies.Clear();
var cookieCount = context.Request.Cookies.Count;
for (int i = 0; i < cookieCount; ++i)
{
var httpCookie = context.Request.Cookies[i];
if (httpCookie != null)
{
var cookieKey = httpCookie.Name;
var cookie = new HttpCookie(cookieKey)
{
Expires = DateTime.Now.AddDays(-1),
Value = "",
Path = httpCookie.Path,
Domain = httpCookie.Domain,
Secure = httpCookie.Secure,
HttpOnly = httpCookie.HttpOnly
};
context.Response.Cookies.Add(cookie);
}
}
var cryptoErrorCookie = new HttpCookie("CryptoErrorOccured", DateTime.UtcNow.ToString("G"))
{
Expires = DateTime.Now.AddMinutes(5)
};
context.Response.Cookies.Add(cryptoErrorCookie);
context.Server.ClearError();
}
#endregion
}