Skip to content

Dealing with session token exceptions with WIF in ASP.NET

October 22, 2012

When doing WIF programming in ASP.NET you will sometimes come across this exception:

“ID4243: Could not create a SecurityToken. A token was not found in the token cache and no cookie was found in the context.”

This exception is thrown when the browser is sending a cookie that contains the user’s claims but something about the processing can’t be performed (either the key has changed so the token can’t be validated or if using a server side cache and the cache is empty). An end user isn’t going to be able to do much about this and they’re going to continue to get the error since the browser will keep sending the cookie.

The easy solution to the problem is to add this snippet to the OnError event in global.asax:

void Application_OnError()
{
    var ex = Context.Error;
    if (ex is SecurityTokenException)
    {
        Context.ClearError();
        if (FederatedAuthentication.SessionAuthenticationModule != null)
        {
            FederatedAuthentication.SessionAuthenticationModule.SignOut();
        }
        Response.Redirect("~/");
    }
}

This detects the token exception and clears the cookie. You could also add logging and have other logic about where to redirect the user (perhaps back to a login page if desired).

HTH

7 Comments leave one →
  1. kalons permalink
    July 12, 2013 10:49 am

    Is this normal WIF operation — we should expect these errors occasionally and nothing can be done to avoid them? What could cause the key to change or the server side cache to be cleared? Thanks.

    • July 13, 2013 7:18 pm

      This is meant to address the issues where the client has an old cookie, or perhaps you’ve changed something such that the cookie won’t validate correctly — instead of just acting like the cookie is absent, WIF throws and I dislike that reaction to the invalid cookie.

  2. kalons permalink
    July 14, 2013 8:26 am

    We’re experiencing this exception once or twice a day. I’m pretty sure the cookie isn’t old. The user has been logged in not much more than an hour, and we’re using sliding sessions from http://tinyurl.com/pwba62q. I guess the token was removed from the server cache, but I have no idea why and how to determine what happened.

  3. fred permalink
    October 22, 2013 10:01 am

    Really good snippet !!
    Thank you.

  4. January 6, 2015 5:46 am

    Just for the record. We also got this error when putting WIF in “reference mode” through
    public override void Init()
    {
    FederatedAuthentication.SessionAuthenticationModule.IsReferenceMode = true;
    }
    in the global.asax. This does not work on a load-balanced server. Since we did not configure sticky sessions on our servers nor a session state provider, we got the ID4243 error. In that case of course, throwing away the cookie would not help. I know you probably know this but I’m just putting it here for people who don’t and do have the ID4243 error.

  5. Brian permalink
    September 14, 2015 8:28 pm

    I am experiencing this problem after putting together a Windows Auth/CAM/SAM solution based on your more recent articles. My problem is when a user on the LAN opens a second browser to the site – the cookie gets sent, but there is no session yet, and the error occurs. Doesn’t matter if SAM isReferenceMode or not. Am I missing something?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: