Warning: file_get_contents(/data/phpspider/zhask/data//catemap/2/jquery/74.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Asp.net web api OWIN-清除无效的WSFederation Cookie_Asp.net Web Api_Owin_Adfs_Ws Federation_Owin Middleware - Fatal编程技术网
Fatal编程技术网

Asp.net web api OWIN-清除无效的WSFederation Cookie

asp.net-web-api

Asp.net web api OWIN-清除无效的WSFederation Cookie,asp.net-web-api,owin,adfs,ws-federation,owin-middleware,Asp.net Web Api,Owin,Adfs,Ws Federation,Owin Middleware,我使用ADFS cookie身份验证实现了一个ASP.NETWebAPI2项目,并将其托管在IIS上。一切正常 但是,一些客户端已获得旧cookie,由于配置更改而变得无效。调用my API时,此类Cookie会导致以下错误: [CryptographicException: Key not valid for use in specified state. ] System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encr

我使用ADFS cookie身份验证实现了一个ASP.NETWebAPI2项目,并将其托管在IIS上。一切正常

但是,一些客户端已获得旧cookie,由于配置更改而变得无效。调用my API时,此类Cookie会导致以下错误:

[CryptographicException: Key not valid for use in specified state.
]
   System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +447
   System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +49

[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
   System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +329
   System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +167
   System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +826
   System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +92
   System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +569
   System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +306
   System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +159
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +142
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +92
显而易见的解决办法是清除cookies。但是,将来我可能会再次更改Cookie配置,因此我希望自动从API中清除所有无效的Cookie

我尝试添加一个自定义OWIN中间件并重写
IEExceptionHandler

以下是我的WIF配置:

<system.identityModel>
  <identityConfiguration>
    <audienceUris>
      <add value="https://my.web-api.com" />
    </audienceUris>
    <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
      <authority name="ADFS">
        <keys>
          <add thumbprint="--a thumbprint--" />
        </keys>
        <validIssuers>
          <add name="http://my.adfs.com/adfs/services/trust" />
        </validIssuers>
      </authority>
    </issuerNameRegistry>
  </identityConfiguration>
</system.identityModel>
<system.identityModel.services>
  <federationConfiguration>
    <wsFederation issuer="https://my.adfs.com/adfs/ls" realm="https://my.web-api.com" requireHttps="true" passiveRedirectEnabled="false"
                  persistentCookiesOnPassiveRedirects="true" />
    <cookieHandler name="my.cookie" path="/" persistentSessionLifetime="7.0:0:0" />
    <serviceCertificate>
      <certificateReference x509FindType="FindBySubjectName" findValue="my.web-api.com" storeLocation="LocalMachine" storeName="My" />
    </serviceCertificate>
  </federationConfiguration>
</system.identityModel.services>
无论
CryptographicExceptionHandler
ClearInvalidCookiesMiddleware
中包含什么,它们的代码都不会被调用,我会得到500个错误。我还尝试在
UseWebApi
之前移动
ClearInvalidCookies中间件

我的目标是添加
Set Cookie
响应头以清除无效Cookie并返回401或重定向


在这种情况下,如何使OWIN自定义响应?
解决方案似乎覆盖了
SessionAuthenticationModule.OnAuthenticateRequest
并在异常情况下调用
SignOut()


class ClearInvalidCookiesSessionAuthenticationModule : SessionAuthenticationModule
{
    protected override void OnAuthenticateRequest(object sender, EventArgs eventArgs)
    {
        try
        {
            base.OnAuthenticateRequest(sender, eventArgs);
        }
        catch(InvalidOperationException ex) when (ex.InnerException is CryptographicException) // Invalid cookie signing key
        {
            SignOut();
        }
        catch(System.Xml.XmlException) // Invalid cookie structure
        {
            SignOut();
        }
    }
}


要使用继承的类而不是默认类,应在Web.config中插入以下行:


<system.webServer>
  <modules ...>
    <!-- Insert the line below or replace existing SessionAuthenticationModule -->
    <add name="SessionAuthenticationModule" preCondition="managedHandler"
         type="MyNamespace.ClearInvalidCookiesSessionAuthenticationModule, MyAssembly" />
    ...
  </modules>
...
</system.webServer>




...
...



<system.webServer>
  <modules ...>
    <!-- Insert the line below or replace existing SessionAuthenticationModule -->
    <add name="SessionAuthenticationModule" preCondition="managedHandler"
         type="MyNamespace.ClearInvalidCookiesSessionAuthenticationModule, MyAssembly" />
    ...
  </modules>
...
</system.webServer>