We have an application where we want to change the machine key. This key is used to encrypt session, cookies (among others) in ASP.NET.
When changing the machine key, we expected ASP.NET to make all existing cookies invalid and show the login page when trying to reach a page protected by authentication. However, we end up with the following exception:
[CryptographicException: Error occurred during a cryptographic operation.]
System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.HomogenizeErrors(Func`2 func, Byte[] input) +178
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +179
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +827
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +87
System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +569
System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +306
System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +159
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +229
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +98
(I apologize for the bad formatting here.)
This means by changing the machine key breaks existing logged in users, which is not exactly what we want. We could also clear cookies older than now, but it sounds rather hacky to do.
Is there any way to solve this without explicitly invalidate the user's cookie, like purposed in this post or in this post?
