Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Milly 30 posts 130 karma points
    Dec 15, 2016 @ 12:32
    Milly
    0

    Error occurred during a cryptographic operation

    Hi all,

    I'm suddenly getting the following error with a site built using the latest version of Merchello and FastTrack.

    Error occurred during a cryptographic operation     
    
    [CryptographicException: Error occurred during a cryptographic operation.]
           System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.HomogenizeErrors(Func`2 func, Byte[] input) +115
           System.Web.Security.Cryptography.HomogenizingCryptoServiceWrapper.Unprotect(Byte[] protectedData) +70
           System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket) +9688790
           Umbraco.Core.StringExtensions.DecryptWithMachineKey(String value) +170
           Merchello.Web.Models.Customer.CustomerContextDataExtensions.ToCustomerContextData(HttpCookie contextCookie) +99
           Merchello.Web.Pluggable.CustomerContextBase.Initialize() +225
           Merchello.Web.Pluggable.CustomerContextBase..ctor(IMerchelloContext merchelloContext, UmbracoContext umbracoContext) +138
           Merchello.Web.CustomerContext..ctor(UmbracoContext umbracoContext) +54
    

    Does anyone have any ideas? The site is hosting on a shared hosting plan and the only thing that has changed was a domain switch from a .com to .co.uk. It was working fine on the .com.

    It goes away temporarily if I clear my cookies however this isn't great as the average user wouldn't know to do this and I can't expect site visitors to delete their cookies every time they visit the site!

    I have tried a fresh install of Merchello/FastTrack but to no avail...

    Thanks

  • Rusty Swayne 1655 posts 4993 karma points c-trib
    Dec 15, 2016 @ 16:25
    Rusty Swayne
    0

    Can you delete your Merchello cookie and look again? The encryption is based on the web server's machine key.

  • Milly 30 posts 130 karma points
    Dec 16, 2016 @ 09:49
    Milly
    0

    Hi Rusty,

    The error does go away if I delete my cookies, but this isn't really a sustainable solution as the error just seems to come back a few hours later.

    I don't actually have a machineKey setting in the web.config and never have done - is it needed? And if so what do I need to do to add one?

    Thanks :)

  • Rusty Swayne 1655 posts 4993 karma points c-trib
    Dec 16, 2016 @ 17:01
    Rusty Swayne
    0

    You should not need a machine key in the web.config unless you are doing some sort of load balanced setup.

    I've seen this pop up before (rarely) but it's typically when I have a ton of windows open and am doing lots of compiles - then go back and hit an old window.

    I've never seen it "periodically recur".

  • Milly 30 posts 130 karma points
    Dec 21, 2016 @ 10:23
    Milly
    0

    Hmm that is odd..

    The error just keeps re-appearing on my machine and several others, including my phone and also my client's.

    It's frustrating to say the least! I cannot figure out what is triggering it either - I rarely have multiple windows open and it's not like it occurs after I've made a change or anything like that.

  • Rusty Swayne 1655 posts 4993 karma points c-trib
    Dec 21, 2016 @ 16:03
    Rusty Swayne
    0

    Hi Milly,

    Can you try adding a machine key to your web.config and see if that makes a difference. Note (you will need to clear the cookie immediately after the site comes back up with the update do to a change in the encryption seed value change). I'm still having trouble reproducing this consistently on my end but it may be that your web server is recycling the application pool and resetting the machine key (based on an article I read a couple of days ago).

    If this alteration does change things for you, I would appreciate you letting me know so I can look into refactoring things a bit to fix things up.

    It would be also helpful to know what version of Merchello you have installed. One of the possible culprits is a change made in 2.3.1 http://issues.merchello.com/youtrack/issue/M-1070

  • Milly 30 posts 130 karma points
    Dec 21, 2016 @ 22:03
    Milly
    0

    Unfortunately, adding a machine key doesn't seem to make a difference :(.

    I also tried setting the AnonymousCustomerCookieExpiresDays to 0 - no luck either.

    I am using Umbraco 7.5.6, FastTrack 2.3.2 and Merchello 2.3.2.

    Thanks

  • Calvin Frei 106 posts 314 karma points
    Dec 21, 2016 @ 17:52
    Calvin Frei
    0

    Have same issue with 2.3.2 and Umbraco 7.4.3.

    Also get a different error when I am in the Basket go to PayPal cancel it get redirected back to Basket then again PayPal cancel it and then get error:

       System.Reflection.TargetInvocationException: Ein Aufrufziel hat einen Ausnahmefehler verursacht. ---> System.ArgumentException: Invalid value for 'encryptedTicket' parameter.
       bei System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket)
       bei Umbraco.Core.StringExtensions.DecryptWithMachineKey(String value)
       bei Merchello.Web.Models.Customer.CustomerContextDataExtensions.ToCustomerContextData(HttpCookie contextCookie)
       bei Merchello.Web.Pluggable.CustomerContextBase.Initialize()
       bei Merchello.Web.Pluggable.CustomerContextBase..ctor(IMerchelloContext merchelloContext, UmbracoContext umbracoContext)
       bei Merchello.Web.CustomerContext..ctor(UmbracoContext umbracoContext)
    
  • Rusty Swayne 1655 posts 4993 karma points c-trib
    Dec 21, 2016 @ 18:58
    Rusty Swayne
    0

    Does adding the machine key fix that issue?

  • Calvin Frei 106 posts 314 karma points
    Dec 21, 2016 @ 19:56
    Calvin Frei
    0

    No (already had one before updating).

  • Joel Hansen 38 posts 96 karma points
    Dec 31, 2016 @ 22:31
    Joel Hansen
    0

    I'm getting the same error, also on Umbraco 7.4.3 and Merchello 2.3.2.

    Did any of you find a solution?

  • Rusty Swayne 1655 posts 4993 karma points c-trib
    Jan 03, 2017 @ 16:06
    Rusty Swayne
    0

    Joel, are you getting this on a payment provider or randomly navigating?

  • Joel Hansen 38 posts 96 karma points
    Jan 03, 2017 @ 23:22
    Joel Hansen
    1

    Rusty, thank you for responding. I rolled back the solution, as I didn't have time to deal with it at this point.

    Sorry for the trouble!

  • Tom 23 posts 79 karma points
    Jan 04, 2017 @ 10:59
    Tom
    1

    We're also seeing this in our Solution, after trying a few things (adding a machine key was our first thought) what we think is happening is that the cookie is becoming too large, and so fails when trying to decrypt it.

    We can replicate the behavior that when the merchello cookie hits around 2.4kb, the error appears, deleting the cookie and refreshing the page solves the issue.

    It looks like when we go in and out of the basket process, the cookie size jumps by around 200-400 bytes each time, and as soon as it hits 2.4kb we get the YSOD.

    We have implemented a temporary fix that has solved this by checking the cookie size in a global filter and removes it before it hits this limit and we haven't seen the error since.

    Rusty, if you need any more info, just let us know and we can hopefully get to the bottom of this.

  • Rusty Swayne 1655 posts 4993 karma points c-trib
    Jan 04, 2017 @ 15:56
    Rusty Swayne
    0

    Thanks Tom - that explains a lot and makes total sense, especially when considering sites where multiple cookies might be used and that it really only started to become a prevalent issue with the optional change from a session cookie to a persisted cookie.

    It's interesting that it increments when you hit the basket - I can't think of anything that might be causing that - unless the recent products listing is not cleaning itself up correctly.

  • Rusty Swayne 1655 posts 4993 karma points c-trib
    Jan 04, 2017 @ 20:20
    Rusty Swayne
    0

    I've added an issue here http://issues.merchello.com/youtrack/issue/M-1264 and am nearly done refactoring how the customer context data is persisted.

  • xrisdoc 53 posts 101 karma points
    Jan 13, 2017 @ 16:06
    xrisdoc
    0

    Hello,

    I have encountered this issue too and can see that that when the "merchello" cookie reaches a certain size, I get YSOD.

    I have consolidated my checkout process into a single page, which when requested, will set the Billing and Shipping address in code, as well as the Shipping method and Payment method. I do not require the user to specify any of these, as I already have that pre-determined. So, I am just setting those myself within code.

    I am then preparing an invoice, so that I can pass that data to my view to be presented to the user for them to review prior to them clicking the button to "Place the Order".

    So, it is when this page (CheckoutSummary action in my Surface Controller) is requested each time, that the cookie increases in size.

    The code for my Checkout Surface Controller is available for review at: https://gist.github.com/xrisdoc/1620f4ae38b1aa19a895b604a656e23d#file-checkoutcontroller-cs

    For now, I have tried adding a global filter as @Tom had suggested, to remove the cookie before it reaches a specific size. But, the cookie doesn't seem to be getting removed. Code for this is below:

    public class CookieCheckFilterAttribute : ActionFilterAttribute,  IActionFilter
    {
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            HttpCookie merchelloCookie = filterContext.HttpContext.Request.Cookies.Get("merchello");
    
            if(merchelloCookie != null)
            {
                int maxSize = 2342;
                var size = System.Text.ASCIIEncoding.ASCII.GetByteCount(merchelloCookie.Value);
                if (size >= maxSize)
                {
                    filterContext.HttpContext.Request.Cookies.Remove("merchello");
                    merchelloCookie.Expires = DateTime.Now.AddDays(-10);
                    merchelloCookie.Value = null;
                    filterContext.HttpContext.Response.SetCookie(merchelloCookie);
                }
            }
    
        }
    }
    

    @Tom, is there any chance you would you be willing to share your code for your filter? It would be much appreciated!

    @Rusty, The issue you posted has been marked as "Fixed" now. So, I assume this will be available when you release version 2.4? If so, I was just wondering when that was likely to be? Or, is there any way I can apply this now?

    Thanks!

  • Tom 23 posts 79 karma points
    Jan 13, 2017 @ 16:33
    Tom
    0

    Hi xrisdoc,

    your filter code is almost identical to ours, but we are using the add cookie method, instead of setting it - I think this might be why it isn't working for you.

    Full code posted below:

    public class CheckCookieSizeFilterAttribute : ActionFilterAttribute
    {
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            var merchCookie = filterContext.HttpContext.Request.Cookies["merchello"];
            var maxCookieSize = 2000;
    
            if (merchCookie != null && Encoding.Unicode.GetByteCount(merchCookie.Value) >= maxCookieSize)
            {
                var newMerchCookie = new HttpCookie("merchello") { Expires = DateTime.Now.AddDays(-1) };
                filterContext.HttpContext.Response.Cookies.Add(newMerchCookie);
            }
        }
    }
    
  • Rusty Swayne 1655 posts 4993 karma points c-trib
    Jan 13, 2017 @ 16:44
    Rusty Swayne
    0

    Hi xrisdoc / Tom,

    I've refactored the customer context a bit to store more information directly in the customer / anonymouscustomers extended data collection rather than rely on the now obsolete dictionary (cookie ContextData). There was no noticeable hit to performance, the API did not have to change, aBasnd the changes that were made were not breaking changes - so I considered it a win =)

    The code is available in the merchello-dev branch and will be part of the 2.4.0 release. Hopefully we get that out soon, but I'm currently tasked on a sub-project.

    Essentially 2.4.0 is complete barring install and update tests. I'm using the build myself via the MyGet feed and have not seen any issues when I updated the project I'm working with. If you go that route, make sure to merge in the App_Plugins/Merchello folder files after you pull in the dlls.

  • xrisdoc 53 posts 101 karma points
    Jan 16, 2017 @ 14:58
    xrisdoc
    0

    @Tom, Thanks for sharing your code for removing the cookies.

    However, it still doesn't seem to be removing the "merchello" cookie. The odd thing is, I have tested this with another cookie that I have created and it does work for for that!

    So, it seems that it was just the "merchello" cookie that's not being removed for some reason. Maybe there is something else that is preventing that from being removed at another point. I'll investigate further when when I get a chance.

    @Rusty, Thanks for the info!

    I have managed to get a build from the merchello-dev branch as you suggested and all seems to be working ok for me too.

    Thanks,

    Chris

Please Sign in or register to post replies

Write your reply to:

Draft