我目前正在使用Forms Auth对子域进行身份验证。所以我有以下服务器:
site1.domain.com
site2.domain.com
他们可以共享Forms Auth cookie。以下是可能的链接: http://msdn.microsoft.com/en-us/library/eb0zx8fc(v=VS.100).aspx
但现在我正在向我的应用程序添加声明,而且当我调用此行时似乎:
var sessionToken = new SessionSecurityToken(principal);
FederatedAuthentication.SessionAuthenticationModule.CookieHandler.Domain = "domain.com";
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken);
编写了一个“FedAuth =”cookie,其中包含序列化和加密的声明。
但是现在我无法在我的一个子域(site1)中设置FedAuth cookie并让另一个子域读取它(site2)。我收到这个错误:
Key not valid for use in specified state.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[CryptographicException: Key not valid for use in specified state.]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +397
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +90
[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.]
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +1158198
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +173
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +756
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +100
System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[sessionCookie) +668
System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +164
System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +173
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165
之前,使用Forms Auth,这不是问题,它只是起作用。
为了在所有使用相同域的子域之间共享这些FedAuth cookie,我需要做什么?
是的,两个站点的web.config文件都有相同的machineKey。并且每个站点的应用程序池上的loadProfile设置都设置为false。
我希望能够在不涉及STS的情况下做到这一点。 STS引入了开销和复杂性,我没有看到为什么你不能将FedAuth cookie子域中的声明包含在内的任何理由。
谢谢, 麦克
答案 0 :(得分:1)
我实际上在这个答案的web.config文件设置中找到了我的问题的答案:MachineKeySessionSecurityTokenHandler and the session token expiring between application restarts