Missing documentation of breaking change in .NET 6

[wschlegel]

Type of issue

Missing information

Description

In this documentation on the configuration of data protection under .NET6 there is a warning (together with a suggested solution) that the default content root path used for key selection has changed, as from .NET 6 a (back)slash is appended depending on the operating system:

https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-9.0#setapplicationname

If no separate discriminator is set for app isolation via SetApplicationName (which will certainly affect many projects), the web application will no longer be able to decrypt tokens (after the migrated version has been deployed) issued by the old .NET5 application (which is common for long lasting tokens). You would need to ask your users to delete their cookies and log in again which is of course not really an option for public websites.

You get error messages of the following type in the log:

An exception was thrown while deserializing the token. Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted. ---> System.Security.Cryptography.CryptographicException: The payload was invalid. For more information go to https://aka.ms/aspnet/dataprotectionwarning at Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte* pbCiphertext, UInt32 cbCiphertext, Byte* pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData) at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment1 ciphertext, ArraySegment1 additionalAuthenticatedData) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken) --- End of inner exception stack trace --- at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken) at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)

I consider this problem sufficient to include it in the documentation of the breaking changes under .NET6.

Page URL

https://learn.microsoft.com/de-de/dotnet/core/compatibility/6.0

Content source URL

https://github.com/dotnet/docs/blob/main/docs/core/compatibility/6.0.md

Document Version Independent Id

0ea0a42e-2169-349b-e2e8-fb01ff4874ba

Article author

@CamSoper

Metadata

• ID: a07a4a03-5b9a-0360-7c78-14284b1cb029
• Service: dotnet-fundamentals

Related Issues

---

Associated WorkItem - 370940

[CamSoper]

@danroth27 Should this be added to .NET 6 docs or is the existing doc on the ASP.NET Core site sufficient?

[wschlegel]

If I may also give my opinion on this: As a developer, you look through the breaking changes before a migration. Hardly anyone will re-read the documentation “on spec”.

[CamSoper]

I'm transferring this to https://github.com/dotnet/aspnetcore as usually I need the product team to declare something is a breaking change before I can make a breaking change doc.