Comments (9)
Dude, you're a lifesaver! I was starting to look at having to roll my own and you are right... it is PAINFUL! Fortunately I had the wherewithal to circle back to see if I had done something wrong. It looks like I was either using compatibilityMode="Framework20SP1"
instead of compatibilityMode="Framework20SP2"
or I had made that change on my website Web.config instead of my API Web.config (the API in my site is hosted in a different application).
Once I got that straightened out, it worked perfectly and I was able to round-trip a cookie from old to new site and back again. You literally saved me days.
Thanks!
from aspnetcore.legacyauthcookiecompat.
Not sure! Perhaps you could add a failing test case to the tests?
from aspnetcore.legacyauthcookiecompat.
After some debugging it looks like the hash check is failing. Specifically, the Sha1HashProvider.CheckHash
method is returning false
to the CheckHashAndRemove
method which returns a null
array to the LegacyFormsAuthenticationTicketEncryptor.DecryptCookie
method which throws a generic System.Exception
.
Not knowing much about the binary cookie format myself... any guesses as to why the hash check would be failing?
from aspnetcore.legacyauthcookiecompat.
This looks to be basically the same issue reported in #5. The solution there seems to have been to use compatibilityMode="Framework20SP2"
which you have already tried. Can you just double check that - by creating a brand new cookie with a brand new machine key, and compatibilityMode="Framework20SP2" has the same problem - If you have not double checked already that is.
To be honest I spent days putting this library together, by reverse engineering the .NET 3.5 stack in conjunction with reading the documented source code, to work out what was going on. IT WAS PRETTY PAINFUL and I don't want to have to wear that hat again. I did notice whilst doing this that the .NET 4, 4.5 frameworks had variations with how they handled the cookie decryption / encryption, but it wasn't my primary concern to support all possible code paths at the time, I was just focusing on my own code path. So I am not surprised that there may be some issues here. Unfortunately I won't have time to in the foreseeable future to investigate it though - however if you do work out what is going on, I will gladly accept a pull request.
Perhaps one of the commenters on #5 might be able to help you?
from aspnetcore.legacyauthcookiecompat.
Haha no problem, glad it helped!
from aspnetcore.legacyauthcookiecompat.
@jacobslusser : I am exactly in the same scenario as yours. Do you mind providing me the working code so i can take a look on the decryption ?
from aspnetcore.legacyauthcookiecompat.
The way I implemented this was to write a custom authentication handler based on the official ASP.NET Core cookies implementation here: https://github.com/aspnet/Security/blob/rel/2.0.0/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs
The part using the LegacyAuthCookieCompat library is basically this:
string cookie;
if (!Context.Request.Cookies.TryGetValue(Options.Name, out cookie) || string.IsNullOrEmpty(cookie))
{
// No cookie was provided
logger.LogInformation("Cookie was not found or was empty.");
return AuthenticateResult.NoResult();
}
FormsAuthenticationTicket legacyTicket;
UserContext userContext;
try
{
var encryptor = new LegacyFormsAuthenticationTicketEncryptor(Options.DecryptionKey, Options.ValidationKey);
legacyTicket = encryptor.DecryptCookie(cookie);
userContext = JsonConvert.DeserializeObject<UserContext>(legacyTicket.UserData);
}
catch (Exception ex)
{
// Any exception here would just be garbage (e.g. System.Exception, CryptographicException, etc.)
logger.LogWarning(ex, "Cookie authentication failed during decryption. Message: {Message}", ex.Message);
return AuthenticateResult.Fail("Cookie was not in a valid format.");
}
The UserContext
object is our model for user data.
from aspnetcore.legacyauthcookiecompat.
Unfortunately my cookie is not evenly divisible by 2 and thus fails at the 'hex to binary' conversion step. I am not sure why my cookie is not in hexadecimal format
from aspnetcore.legacyauthcookiecompat.
Unfortunately my cookie is not evenly divisible by 2 and thus fails at the 'hex to binary' conversion step. I am not sure why my cookie is not in hexadecimal format
What cookie. Any details on how its produced? Are you perhaps looking at the wrong authentication cookie?
from aspnetcore.legacyauthcookiecompat.
Related Issues (19)
- Not compatible with netcoreapp1.0 HOT 11
- Validation other than SHA1 HOT 3
- sign release assembly HOT 1
- Example of implementation in .NET Core app? HOT 6
- License? HOT 3
- Can I integrate with AspNet FedAuth Cookie? HOT 1
- UTC vs LocalTime in FormsAuthenticationTicket HOT 2
- 2FA with TOTP HOT 1
- AppVeyor CI build HOT 2
- No `machineKey` node in Web.config HOT 6
- would like to have encryptions options to support 3Des and etc HOT 2
- HashProvider constructor breaks other HashProviders HOT 1
- Signature verification failed HOT 3
- Add FormsProtectionEnum support HOT 2
- Convert to NETSTANDARD library
- Trouble decrypting cookie HOT 8
- dotnet core webapi integration examples HOT 1
- asp.net 4.5 HOT 17
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aspnetcore.legacyauthcookiecompat.