Session change in between Request and Process user authorization

问题

I am trying to implement a simple login page that redirects a user to an OAuth2.0 login server, and then back to a callback URL after they have successfully logged in.

However I keep on getting exception with error message:

Unexpected OAuth authorization response received with callback and client state that does not match an expected value.

From debugging I noticed that the session id from before calling "RequestUserAuthorization()" and after are different.

I read from some SO answers that I need to somehow prevent session changing, but not sure how to achieve that in this scenario.

Any help would be appreciated, thanks!

My distilled implementation is as follow:

private readonly WebServerClientCustomImpl _oauthClient = new WebServerClientCustomImpl();

public ActionResult Login()
        {    
            IAuthorizationState auth = null;

            auth = _oauthClient.ProcessUserAuthorization();

            if (auth == null)
            {
                _oauthClient.RequestUserAuthorization(returnTo: _redirectUrl);
            }
            else
            {
                // Save authentication information into cookie.
                HttpContext.Response.Cookies.Add(auth.CreateAuthCookie());

                return RedirectToAction("Index", "Home");
            }

            ViewBag.Message = "Future login page...";
            return View();
        }

回答1:

If you have problem with SessionId changing it in most cases means that there is nothing in Session object for this user. Just add anything to session and SessionId should stay the same for the user:

Session["UserIsHere"] = true;

回答2:

I had the same message but different problem.

The url (origin and redirect) I did register in google oauth panel started with www.

Some users where going to the web without the www, and had the error message.

i.e.Google cpanel conf: http:// www.somesite.com, redirect to http:// www.somesite.com/oauth2

Some users going to http:// somesite.com.

Solution: Restrict users to use only the www version or redirect the naked domain to www, so the authentication request comes always from the registered domain in Oauth panel.

Hope it helps!

来源：https://stackoverflow.com/questions/14225840/session-change-in-between-request-and-process-user-authorization