An exception was thrown while deserializing the token.

[Tratcher]

From @1amirjalai on April 29, 2017 13:30

System.Security.Cryptography.CryptographicException: The key {xxxxxxxx} was not found in the key ring.

Im running asp.net core on a webfarm using redis as dataprotection.
after getting error like this from redis
Timeout performing EVAL, inst: 9, queue: 1448, qu: 0, qs: 1448, qc: 0, wr: 0, wq: 0, in: 65536, ar: 0, clientName: xxxx
i opt in to make redis thread safe using this code

   private static readonly Lazy<ConnectionMultiplexer> LazyConnection = new Lazy<ConnectionMultiplexer>(() =>
        {
        
           return ConnectionMultiplexer.Connect("xxxxxx,abortConnect=false,syncTimeout=3000");
        });

        public static ConnectionMultiplexer SafeCoonect
        {
            get
            {
                return LazyConnection.Value;
            }
        }

and initialize it in startup like :

      var redis = RedisConnectionManager.SafeCoonect;
         
                services
            .AddDataProtection()
          .PersistKeysToRedis(redis, "Key");

but now i get new error

The antiforgery token could not be decrypted. ---> System.Security.Cryptography.CryptographicException: The key {xxxxxxx} was not found in the key ring.

I'm also getting this warning :

Error unprotecting the session cookie.

what should i do?

Copied from original issue: aspnet/IISIntegration#363

[amirjalali1]

i also have opened an issue on stackoveflow here

[blowdart]

Have you set the application name to be static?

   services.AddDataProtection()
       .SetApplicationName("my application")
       .PersistKeysToRedis(redis, "Key");

[amirjalali1]

@blowdart No i haven't set application name to be static.

does setting application name to be static will affect my current users?

i have more info on what's happened that cause this error. redis connection string has been changed accidentally for some minutes to another redis instance and again changed back to correct one.

here redis connection string was changed for some minutes under heavy website traffic
return ConnectionMultiplexer.Connect("xxxxxx,abortConnect=false,syncTimeout=3000");

i need a way to handle and prevent this error.

i was thinking about setting
.SetDefaultKeyLifetime(TimeSpan.FromDays(1));
for one day and again set it back to 90 days after two or three days if that could help prevent the errors.

but i'm affraid that it causes more error under current situation

[amirjalali1]

Here are a list of errors and warnings that i'm getting constantly

The antiforgery token could not be decrypted. ---> System.Security.Cryptography.CryptographicException: The key {xxxxxxx} was not found in the key ring.
or
the most exception i get:
An exception was thrown while deserializing the token.
or
which i get the most warning is :
Error unprotecting the session cookie.

[blowdart]

You're going to find that 1 day is too little.

In your situation I'd start again. I'd set a static application name, because you do need that - keys are isolated by default based on app name. Redeploy and point everything to the same redis instance, and just take the hit of people being logged out. Remember unless you have redis configured for persistence the logout is going to happen whenever redis restarts too, because without persistence it'll throw the keys away.

[amirjalali1]

@blowdart after setting the name i have new errors

An exception was thrown while deserializing the token.

[blowdart]

Hmm. Is there a full stack trace anywhere, because that's not coming from data protection any more

[amirjalali1]

@blowdart yes here is one of them

System.InvalidOperationException: The antiforgery token could not be decrypted. 
---> System.Security.Cryptography.CryptographicException: The payload was invalid. 
at Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte* pbCiphertext, UInt32 cbCiphertext, Byte* pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData) at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment`1 ciphertext, ArraySegment`1 additionalAuthenticatedData) 
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) 
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked) 
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData) 
at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken) 
--- End of inner exception stack trace --- 
at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken) 
at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)

and i also have a lot of warning

with the following full stack trace

System.Security.Cryptography.CryptographicException: The payload was invalid. 
at Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte* pbCiphertext, UInt32 cbCiphertext, Byte* pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData) 
at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment`1 ciphertext, ArraySegment`1 additionalAuthenticatedData) 
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) 
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked) 
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData) 
at Microsoft.AspNetCore.Session.CookieProtection.Unprotect(IDataProtector protector, String protectedText, ILogger logger)

[blowdart]

OK, throwing to a dev now to see if he can reproduce this. Hey @natemcmaster have a present :D

[amirjalali1]

@blowdart @natemcmaster

Antiforgery is configured at startup like :

can it be the reason of
System.Security.Cryptography.CryptographicException: The payload was invalid

any progress on the issue?

is there anything i can do to help this issue be solved?

   services.AddAntiforgery(
                options =>
                {
                    // Rename the Anti-Forgery cookie from "__RequestVerificationToken" to "f". This adds a little
                    // security through obscurity and also saves sending a few characters over the wire.
                    options.CookieName = "f";

                    // Rename the form input name from "__RequestVerificationToken" to "f" for the same reason above
                    // e.g. <input name="__RequestVerificationToken" type="hidden" value="..." />
                    options.FormFieldName = "f";

                    // Rename the Anti-Forgery HTTP header from RequestVerificationToken to X-XSRF-TOKEN. X-XSRF-TOKEN
                    // is not a standard but a common name given to this HTTP header popularized by Angular.
                    options.HeaderName = "X-XSRF-TOKEN";
                });

[amirjalali1]

weirdest thing happened as soon as i changed configed antiforgery token to just

services.AddAntiforgery()

all errors went away.

there are just unprotecting the session cookie warning that remained and no error

System.Security.Cryptography.CryptographicException: The payload was invalid. 
at Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte* pbCiphertext, UInt32 cbCiphertext, Byte* pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData) 
at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment1 ciphertext, ArraySegment1 additionalAuthenticatedData) 
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) 
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked) 
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData) at Microsoft.AspNetCore.Session.CookieProtection.Unprotect(IDataProtector protector, String protectedText, ILogger logger)

[amirjalali1]

The issue has come back once again after upgrading servers.
again i'm having a lot of
Error unprotecting the session cookie.

System.Security.Cryptography.CryptographicException: The key {xxxxx-xxxx-xxxxx-xxxxx-xxxxxx} was not found in the key ring. at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData) at Microsoft.AspNetCore.Session.CookieProtection.Unprotect(IDataProtector protector, String protectedText, ILogger logger)

is there any solution or workaround for this issue?

i have changed antiforgery cookie name and also changed application cookie name but no success

services.AddAntiforgery(
                options =>
                {
            
                    options.CookieName = "n";
                }
                );

services.AddDataProtection().SetApplicationName("xxxx").PersistKeysToRedis(redis, "zzzz");

   services.Configure<IdentityOptions>(options =>
            {
           
                options.Cookies.ApplicationCookie.CookieName = ".mmmm";
});