asp.net web api - OWIN - clear invalid WSFederation cookies -


i implemented asp.net web api 2 project adfs cookie authentication , hosted on iis. works fine.

however, clients have got old cookies became invalid because of configuration changes. such cookies cause following error when calling api:

[cryptographicexception: key not valid use in specified state. ]    system.security.cryptography.protecteddata.unprotect(byte[] encrypteddata, byte[] optionalentropy, dataprotectionscope scope) +447    system.identitymodel.protecteddatacookietransform.decode(byte[] encoded) +49  [invalidoperationexception: id1073: cryptographicexception occurred when attempting decrypt cookie using protecteddata api (see inner exception details). if using iis 7.5, due loaduserprofile setting on application pool being set false. ]    system.identitymodel.protecteddatacookietransform.decode(byte[] encoded) +329    system.identitymodel.tokens.sessionsecuritytokenhandler.applytransforms(byte[] cookie, boolean outbound) +167    system.identitymodel.tokens.sessionsecuritytokenhandler.readtoken(xmlreader reader, securitytokenresolver tokenresolver) +826    system.identitymodel.tokens.sessionsecuritytokenhandler.readtoken(byte[] token, securitytokenresolver tokenresolver) +92    system.identitymodel.services.sessionauthenticationmodule.readsessiontokenfromcookie(byte[] sessioncookie) +569    system.identitymodel.services.sessionauthenticationmodule.tryreadsessiontokenfromcookie(sessionsecuritytoken& sessiontoken) +306    system.identitymodel.services.sessionauthenticationmodule.onauthenticaterequest(object sender, eventargs eventargs) +159    system.web.synceventexecutionstep.system.web.httpapplication.iexecutionstep.execute() +142    system.web.httpapplication.executestep(iexecutionstep step, boolean& completedsynchronously) +92

the obvious workaround clear cookies. however, it's i'll change cookies configuration again in future, i'd clear invalid cookies automatically api.

i've tried adding custom owin middleware , overriding iexceptionhandler.

here's wif config:

<system.identitymodel>   <identityconfiguration>     <audienceuris>       <add value="https://my.web-api.com" />     </audienceuris>     <issuernameregistry type="system.identitymodel.tokens.validatingissuernameregistry, system.identitymodel.tokens.validatingissuernameregistry">       <authority name="adfs">         <keys>           <add thumbprint="--a thumbprint--" />         </keys>         <validissuers>           <add name="http://my.adfs.com/adfs/services/trust" />         </validissuers>       </authority>     </issuernameregistry>   </identityconfiguration> </system.identitymodel> <system.identitymodel.services>   <federationconfiguration>     <wsfederation issuer="https://my.adfs.com/adfs/ls" realm="https://my.web-api.com" requirehttps="true" passiveredirectenabled="false"                   persistentcookiesonpassiveredirects="true" />     <cookiehandler name="my.cookie" path="/" persistentsessionlifetime="7.0:0:0" />     <servicecertificate>       <certificatereference x509findtype="findbysubjectname" findvalue="my.web-api.com" storelocation="localmachine" storename="my" />     </servicecertificate>   </federationconfiguration> </system.identitymodel.services>

here's startup class:

public class startup {     public void configuration(iappbuilder appbuilder)     {         var config = new httpconfiguration();          config.services.replace(typeof(iexceptionhandler), new cryptographicexceptionhandler());         webapiconfig.register(config);         appbuilder.usewebapi(config);         appbuilder.use<clearinvalidcookiesmiddleware>();     } }

no matter what's inside cryptographicexceptionhandler , clearinvalidcookiesmiddleware, code not called , i'm getting 500 error. tried move clearinvalidcookiesmiddleware before usewebapi.

my aim add set-cookie response header clear invalid cookies , return 401 or redirect.

how can make owin customize response in case?

the solution appeared override sessionauthenticationmodule.onauthenticaterequest , call signout() in case of exceptions:

class clearinvalidcookiessessionauthenticationmodule : sessionauthenticationmodule {     protected override void onauthenticaterequest(object sender, eventargs eventargs)     {         try         {             base.onauthenticaterequest(sender, eventargs);         }         catch(invalidoperationexception ex) when (ex.innerexception cryptographicexception) // invalid cookie signing key         {             signout();         }         catch(system.xml.xmlexception) // invalid cookie structure         {             signout();         }     } }

to use inherited class instead of default one, 1 should insert following line inside web.config:

<system.webserver>   <modules ...>     <!-- insert line below or replace existing sessionauthenticationmodule -->     <add name="sessionauthenticationmodule" precondition="managedhandler"          type="mynamespace.clearinvalidcookiessessionauthenticationmodule, myassembly" />     ...   </modules> ... </system.webserver>

Comments

Post a Comment

Popular posts from this blog

javascript - Clear button on addentry page doesn't work -

this addentry blog page have made scratch , there underlying problems code particularly clear button supposed clear text entered when button clicked on doesn't work have saved html file problem. also 1 other problem submit button works doesn't pass of text index file have written php , reason whenever click on submit button redirects me index page without posting entry have made. <!doctype html> <html> <head> <script> function message() { alert("clear form?"); } </script> <style> body {background-color: beige;} h1 {color: black;} p {color: black;} textarea { width: 50%; height: 150px; padding: 12px 20px; box-sizing: border-box; border: 2px solid #ccc; border-radius: 4px; background-color: white; font-size: 16px; resize: none; } div { padding-left: 20px; } </style> </head> <meta charset="utf-8"> <link rel="stylesheet" href=".
Read more

c# - Selenium Authentication Popup preventing driver close or quit -

i have selenium automated task setup login website retrieve information. it's basic in automation. logging in , clicking 2 links. running issue proving problem. the site in question uses authentication required popup not javascript popup rather regular windows auth popup. have read isn't handled out of box selenium. i using " http://username:password@url.com " site every , site has issues on end prompt me again username/password randomly. have enter username/password twice in row when navigating there hand. since task loops continuously few hours picking needed info figured use webdriverwait verify element present on page. if authentication popup appears, element isn't present. no need care run, start over. the problem having when authentication popup displayed , hit timeout limit want close driver/browser window can start task on again. however, driver.close() , driver.quit() not doing anything. browser remains open , unloaded page still there login p
Read more

tensorflow when input_data MNIST_data , zlib.error: Error -3 while decompressing: invalid block type -

i'm geting started tensorflow,followed tutorials,but cannot download mnist data. import tensorflow tf tensorflow.examples.tutorials.mnist import input_data mnist=input_data.read_data_sets("mnist_data/",one_hot=true) print("download done!") error information: extracting mnist_data/train-images-idx3-ubyte.gz traceback (most recent call last): file "/home/sj/program/tesorflow_try.py", line 6, in <module> mnist=input_data.read_data_sets("mnist_data/",one_hot=true) file "/usr/local/lib/python2.7/dist-packages/tensorflow/contrib/learn/python/learn/datasets/mnist.py", line 213, in read_data_sets train_images = extract_images(f) file "/usr/local/lib/python2.7/dist-packages/tensorflow/contrib/learn/python/learn/datasets/mnist.py", line 60, in extract_images buf = bytestream.read(rows * cols * num_images) file "/usr/lib/python2.7/gzip.py", line 268, in read self._read(readsize) file
Read more