Dealing with session token exceptions with WIF in ASP.NET
When doing WIF programming in ASP.NET you will sometimes come across this exception:
“ID4243: Could not create a SecurityToken. A token was not found in the token cache and no cookie was found in the context.”
This exception is thrown when the browser is sending a cookie that contains the user’s claims but something about the processing can’t be performed (either the key has changed so the token can’t be validated or if using a server side cache and the cache is empty). An end user isn’t going to be able to do much about this and they’re going to continue to get the error since the browser will keep sending the cookie.
The easy solution to the problem is to add this snippet to the OnError event in global.asax:
void Application_OnError()
{
var ex = Context.Error;
if (ex is SecurityTokenException)
{
Context.ClearError();
if (FederatedAuthentication.SessionAuthenticationModule != null)
{
FederatedAuthentication.SessionAuthenticationModule.SignOut();
}
Response.Redirect("~/");
}
}
This detects the token exception and clears the cookie. You could also add logging and have other logic about where to redirect the user (perhaps back to a login page if desired).
HTH
brockallen 
Is this normal WIF operation — we should expect these errors occasionally and nothing can be done to avoid them? What could cause the key to change or the server side cache to be cleared? Thanks.
This is meant to address the issues where the client has an old cookie, or perhaps you’ve changed something such that the cookie won’t validate correctly — instead of just acting like the cookie is absent, WIF throws and I dislike that reaction to the invalid cookie.
We’re experiencing this exception once or twice a day. I’m pretty sure the cookie isn’t old. The user has been logged in not much more than an hour, and we’re using sliding sessions from http://tinyurl.com/pwba62q. I guess the token was removed from the server cache, but I have no idea why and how to determine what happened.
Really good snippet !!
Thank you.
Just for the record. We also got this error when putting WIF in “reference mode” through
public override void Init()
{
FederatedAuthentication.SessionAuthenticationModule.IsReferenceMode = true;
}
in the global.asax. This does not work on a load-balanced server. Since we did not configure sticky sessions on our servers nor a session state provider, we got the ID4243 error. In that case of course, throwing away the cookie would not help. I know you probably know this but I’m just putting it here for people who don’t and do have the ID4243 error.
I am experiencing this problem after putting together a Windows Auth/CAM/SAM solution based on your more recent articles. My problem is when a user on the LAN opens a second browser to the site – the cookie gets sent, but there is no session yet, and the error occurs. Doesn’t matter if SAM isReferenceMode or not. Am I missing something?
Not sure — that’s little info to go on.