The antiforgery token could not be decrypted - Only for specific user #47185
Comments
ghost
added
I suppose it's not impossible - are you able to share the user's name? Or maybe just the non-ASCII characters in it? Or what sort of non-ASCII characters it contains (Latin with accents? Japanese? emoji?)?
I wasn't sure quite what you meant by this. I think maybe the user is seeing some sort of failure in their browser and when you look for failures in the log at the corresponding time, this is the stack you see? Some boilerplate questions:
|
|
We are having this same error running aspnet core web api 6.0 on AWS ECS |
|
I had the same issue in asp.net 7.0 on windows/IIS. One instance. And no special characters in the user name. |
Hi, It doesn't contain any special characters or ascii. Yes, I had the user share their screen, trigger the error and check the logs to ensure it's that error preventing them from submitting a form. No, I do not have multiple instances running. |
|
@weirdyang If you're in contact with the user, it might be interesting to ask them to try again after clearing their cookies. @weirdyang @NitinSinghSF @ChadEQ How is your key ring stored? Is it a file on disk? A blob in Azure Storage? |
|
Does anyone have a log including namespace |
|
Hi
We have tried the following:
1. Private browsing session
2. Clearing cookies and cache
3. On an iPad and iPhone
4. On an android phone
5. On another user’s laptop
We still run into the same error.
…On Wed, 15 Nov 2023 at 8:34 AM, Andrew Casey ***@***.***> wrote:
@weirdyang <https://github.com/weirdyang> If you're in contact with the
user, it might be interesting to ask them to try again after clearing their
cookies.
@weirdyang <https://github.com/weirdyang> @NitinSinghSF
<https://github.com/NitinSinghSF> @ChadEQ <https://github.com/ChadEQ> How
is your key ring stored? Is it a file on disk? A blob in Azure Storage?
—
Reply to this email directly, view it on GitHub
<#47185 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGDEEVXX32FPULLO3FNWH5TYEQEXRAVCNFSM6AAAAAAV2DUB7GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJRGYYTEMRQHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@weirdyang To confirm, this happens on every form submission from this user? @NitinSinghSF @ChadEQ Are you seeing the same? There are multiple ways this error could arise. |
|
All sorts of default behaviors are overridable, e.g. with Edit: it's in the anti-forgery token, which might explain why the problem follows the user. Maybe something about the way the user is encoded in the token breaks deserialization so that a bad data protection key ID is retrieved? |
|
I'm assuming no one has a repro project they're able to share? |
|
Just for the record, I suppose I should mention that netcoreapp3.1 is out of support and wouldn't be patched if that ended up being the fix. I'm tentatively operating on the assumption that @NitinSinghSF and @ChadEQ are seeing the same exception in 6.0 and 7.0, but it would be nice if they could confirm that they're seeing the same symptoms - the problem follows particular users across devices / cookie wipes. |
|
I'm on .net 7.0. And for me, it's extremely rare, not consistent. |
|
@ChadEQ Are you seeing it for particular users or do you just occasionally see that log message? |
|
@weirdyang Is the username unusually long or short? |
|
@weirdyang Are you working with @apetrut? #51165 appears to have an error message with the same GUID. |
No The user name is not unusually long |
|
Currently only see it for one user. It seems to be the first submit (the user is logging in) for the user after an IIS app pool recycle. The user name is 3 characters, but so are all the others. |
|
And is that user seeing in on multiple devices and/or after clearing cookies? |
|
Also, can you please confirm you're seeing a different GUID in your error message? I'm going to get creeped out if there are three of these. |
|
Serialization format for the anti-forgery token: /* The serialized format of the anti-XSRF token is as follows:
* Version: 1 byte integer
* SecurityToken: 16 byte binary blob
* IsCookieToken: 1 byte Boolean
* [if IsCookieToken != true]
* +- IsClaimsBased: 1 byte Boolean
* | [if IsClaimsBased = true]
* | `- ClaimUid: 32 byte binary blob
* | [if IsClaimsBased = false]
* | `- Username: UTF-8 string with 7-bit integer length prefix
* `- AdditionalData: UTF-8 string with 7-bit integer length prefix
*/This blob of binary is then encrypted. From the stack, this is done using a Finally, the encrypted payload is base64 encoded. Reversing this to deserialize, we expect only to have to base64 decode and discard 4 bytes of magic header to access the 16 bytes of the key ID. While user-specific data does appear in the payload, particularly in the There are some nuances around endianness, but we've said that this repros across a number of widely-used devices. There are definitely scenarios/bugs where you could fail to find a key, but I'm having trouble thinking of a way it could affect only particular users. |
|
I gather these apps are authenticated. What mechanism are people using? Claims-based? Which provider? |
|
To answer your previous questions first, but not sure if any of them where directed at me. Different key than what's reported in this issue. User hasn't tried different devices, but has tried Edge and Chrome. Interestingly but probably coincidental, it seems to be easier to reproduce using Edge than Chrome. Yes, using authentication. Cookie authentication scheme and yes using claims. But for us, the error is happening on an anonymous page, before the user has logged in, so no authentication cookie is sent, just the anti-forgery. |
|
@ChadEQ Thanks! Sorry for not being clearer with tags. I'm relieved to hear that the guid is different. 😅 Edge and Chrome are pretty similar these days, though that should at least get you a fresh cookie. Trying on a different device would be interesting, if that's an option. The fact that this is happening before authentication is interesting - I think it will still put a blank username in the token, but that should be the same for all users. Is the user themself distinguished in some way? Are they the first to sign in every morning (e.g. because of time zones)? |
|
@weirdyang @ChadEQ Are either of you able to debug the server while this is failing? We have public symbols and I can suggest breakpoints. |
|
@amcasey I had a similar issue when using same browser with 2 tabs. If tried using 2 different browsers then I didn't get that issue anymore. |
|
@apetrut I think two tabs in the same browser would use the same cookie and require the same key for decryption. |
|
@apetrut Any insights on the GUID collision? I'm assuming you didn't copy-paste yours from this bug. |
|
@amcasey I don't recall seeing this ticket when I opened mine. @weirdyang This is what I've tried in order to get rid of the error and it worked for me: services.AddAntiforgery(options => and also: services.AddDataProtection() |
|
It's not obvious to me how changing the anti-forgery options could help, but explicitly configuring data protection might well bypass whatever bug/surprising behavior is causing this error. |
|
FYI, we're going into a long weekend here, so responses are likely to be slow until next week. |
|
Thanks for contacting us. We're moving this issue to the |
|
I didn't read this entire thread, so I apologize if someone already suggested this... One possible cause: If you are using IIS, make sure the application pool (Advanced Settings) has 'Load User Profile' set to True. |
|
Hi! A point to be considered is, it rarely happens on our production server, but it happens every time on our test server, where we set the same PasswordHash for all users. Now as far as I could trace it, the authentication is done successfully, but afterwards, when redirecting to a protected endpoint, this error happens and the user is unable to log in.
I also did that and the result was the same. |
|
I have the same error, especially in development - the error is logged on each startup even after cleaning cookies in the browser. Also using Chrome. EDIT: |
|
same issue here, just tapping in so I get notified if/when there's a resolution |
|
@enkelmedia @joepietrzak I just want to confirm: there are lots of reasons you might see key not found errors - what's special about this thread is that the error somehow follows a particular user, even across devices, but other users are unaffected. Is that's what you're seeing? |
|
@amcasey It seems like that, one solution we work on works on my colleges computer but I get this issue. The issue is also not present on test, stage or prod machines. To be fair - i did not try to clone the solution into a clean folder - might be worth trying. |
|
Any update? Facing the same issue. |
|
same issue here ... |
|
I have a case that is not user specific. I will report it here, as I am not fully certain that it is an issue or expected behaviour. It might help with this. Context:
Simply navigating to Exception: The antiforgery token could not be decrypted.Source:
InnerException: The key {597fc0e8-bbce-4963-b068-0f809a667142} was not found in the key ring. For more information go to https://aka.ms/aspnet/dataprotectionwarningSource:
Edit:I suppose this is more related with #5405, but I cannot be certain. |
|
I face same issue in my local IIS. It is fine in Staging and production envs. |
|
As a workaround, a middleware "standardizing" the request path has been added in our app right after // context is the HttpContext.
var basePath = context.Request.PathBase;
if (basePath.StartsWithSegments(_basePathWithoutSlash, StringComparison.InvariantCultureIgnoreCase)
&& !basePath.StartsWithSegments(_basePathWithoutSlash, StringComparison.Ordinal))
{
// Redirect to _basePathWithoutSlash + context.Request.Path
}
// carry on |
|
Same issue: Blazor Net8 : Rendermode Auto (with server and client components) Deployed Windows Server 2019 on 2 nodes. When the app is deployed first time i get the exception, in the logs: But somehow the app its up with no problems Tried following the code recommended in the guides: But nothing changes, i get the error only when the app is deployed for the first time Update: i think its related with this : #46124 |
|
I'm not using the
it starts here: |
and others
Is there an existing issue for this?
Describe the bug
We insert an anti-forgery token into the form using
@Html.AntiForgeryToken()and validate the request using the[ValidateAntiForgeryToken], however we occasionally get the error above when one user tries to submit.How is the key generated? Why does the user affect the generation of the token?
Expected Behavior
When user submit a form, the request token is valid and the user request is accepted.
Steps To Reproduce
@Html.AntiForgeryToken()[ValidateAntiForgeryToken]Exceptions (if any)
An exception was thrown while deserializing the token.
Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted.
.NET Version
netcoreapp3.1
Anything else?
We have tried this with different users, different devices and different browsers.
Only this user has the issue, and it is correlated with the logs' timestamp.
I've checked the source code, and was wondering could it be due to special characters in the user name?
https://github.com/dotnet/aspnetcore/blob/main/src/Antiforgery/src/Internal/DefaultAntiforgeryTokenGenerator.cs
No response
The text was updated successfully, but these errors were encountered: