Geek Answers Handbook

MVC 6 WebFarm: antiforgery token cannot be decrypted

I am running MVC 6 (vNext) in a webfarm script (front panel ARR with multiple AppServers). Server affinity is disabled.

When I refuse application servers from one request to another, I get an error

CryptographicException: key {3275ccad-973d-43ca-930f-fbac4d276640} was not found in the key ring.

InvalidOperationException: antiforgery token cannot be decrypted.

I used to believe that this was handled by setting a static MachineKey in web.config.

As I understand it, now we have moved to the new DataProtection API, and I tried the following, believing that the application name is used as something like a seed:

services.AddDataProtection(); services.ConfigureDataProtection(configure => { configure.SetApplicationName("WebAppName"); });

which does not work to solve the problem.

Any idea how to solve this problem in vNext?

+6
source share
1 answer

Description

You will need to reuse the same key.

If you are on Azure, the keys are synchronized by NAS-type storage on %HOME%\ASP.NET\DataProtection-Keys .

For a local launch application, they are stored in %LOCALAPPDATA%\ASP.NET\DataProtection-Keys user running the application or stored in the registry if it is running in IIS.

If none of the above matches are used, a key is generated for the process lifetime.

Decision

So, the first option is not available (Azure only). However, you can synchronize the keys from %LOCALAPPDATA%\ASP.NET\DataProtection-Keys user launching the application on each computer on which the application is running.

But even better, you could simply point it to a network resource as follows:

 sc.ConfigureDataProtection(configure => { // persist keys to a specific directory configure.PersistKeysToFileSystem(new DirectoryInfo(@"Z:\temp-keys\")); });

This will allow you to scale while maintaining your security.

Important: Your keys will expire in 90 days. It will be important to regenerate them often.

You can change it using this bit of code, but the shorter the safer.

 services.ConfigureDataProtection(configure => { // use 14-day lifetime instead of 90-day lifetime configure.SetDefaultKeyLifetime(TimeSpan.FromDays(14)); });

A source

+7
source

More articles:


All Articles