Using Antiforgery in ASP.NET Core and got error - the antiforgery token could not be decrypted
My ASP.Net Core MVC application have added Antiforgery middleware like below:
startup.cs
services.AddMvc();
services.AddSession();
services.AddCaching();
services.AddSession(o =>
{
o.IdleTimeout = TimeSpan.FromMinutes(120);
});
services.AddAntiforgery();
I've added below in the view and controller
View:
Controller
[HttpPost, ValidateAntiForgeryToken]
public IActionResult Login(IFormCollection formCollection)
{...}
The problem is users always get below when users come across different forms.
System.InvalidOperationException: The antiforgery token could not be decrypted. ---> System.Security.Cryptography.CryptographicException: The key {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} was not found in the key ring.
I found a solution which suggests setting a static pair of validation/decryption key in the web.config but it seems this solution is only for classic asp.net application. How should I do in ASP.Net core?
Answer
I've had exactly that error on a ASP .net core app hosted on a linux container.
From the docs it would seem if you don't meet certain criteria the keys are only persisted in the process - but that even for me was not working.
First the error occurred with the default setup.
I then added specific configuration for the keys on the filesystem:
services.AddDataProtection()
.PersistKeysToFileSystem(new System.IO.DirectoryInfo(@"/var/my-af-keys/"));
This also didn't fix the issue I had to set an application name:
services.AddDataProtection()
.SetApplicationName("fow-customer-portal")
.PersistKeysToFileSystem(new System.IO.DirectoryInfo(@"/var/dpkeys/"));
I haven't confirmed but its possible nature of the LXC hosting means .net core cannot persist the identity of the app.