-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The antiforgery token could not be decrypted: The payload was invalid #47774
Comments
@ptzremote Thanks for the report! Are you only seeing that when the two apps use different versions of .net or does it happen with two 4.5.7 or two 5.0 apps? |
Any luck? I have the same issue between a .NET 4.8 MVC web app and .NET 6.0 ASP Web API App. I got past the Key Ring error and not finding the header and cookie errors (so I believe this is really just an encryption? problem) Both are configured to use the same shared key from File system
at Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte* pbCiphertext, UInt32 cbCiphertext, Byte* pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData) The ASP.NET app is configured to use Microsoft.AspNetCore.DataProtection.SystemWeb
If you want to customize the behavior of the ASP.NET Core Data Protection stack, set the |
This sounds very similar to #39958. |
Closing as a dup, pending new information. |
Might be related to this: umbraco/Umbraco-CMS#16107 |
Is there an existing issue for this?
Describe the bug
I want to send a request from one application to another and validate the anti-forgery token.
Expected Behavior
Validation will be complete successfully.
Steps To Reproduce
services.AddDataProtection().SetApplicationName("demo").PersistKeysToFileSystem(new DirectoryInfo( Path.Combine(HostingEnvironment.ApplicationPhysicalPath, "..", "keys") ));
<form action="http://localhost:1055/home/index" method="post"> @Html.AntiForgeryToken() <button type="submit">Send</button> </form>
_antiforgery.ValidateRequestAsync(HttpContext)
Exceptions (if any)
The antiforgery token could not be decrypted.
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.DeserializeTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet, AntiforgeryToken& cookieToken, AntiforgeryToken& requestToken)
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet)
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.d__9.MoveNext()
InnerException:
The payload was invalid.
at Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte* pbCiphertext, UInt32 cbCiphertext, Byte* pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData)
at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment
1 ciphertext, ArraySegment
1 additionalAuthenticatedData)at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
.NET Version
4.7.2;5.0
Anything else?
Repo: https://github.com/ptzremote/InvalidPayload
The text was updated successfully, but these errors were encountered: