DotNetOpenId — “This message has already been processed” Error (Part 2)

Question

This has already been asked Here, but not by me and the OP accepted an answer which did not help me. Thus far, I've tried logging in from different browsers, changing the web config, clearing cookies, and loading from an external machine.

In fact, I eventually did discover that the problem is specific to my own machine; when I published to another machine, it worked fine. Any suggestions for where to look for solutions? I deliberately used the simplest test code I could think of, a clean empty aspx page and a simple Page_Load function.

Edit: To clarify, like the author of the original question, I am getting a "This message has already been processed" error. This is printed out to screen with Response.Write(response.Exception.ToString());. I believe the issue is configuration-related, unlike the other author, since the symptoms only show up on my local box. Note that the symptoms are independent of whether I test on the same box as the code is running on.

    protected void Page_Load(object sender, EventArgs e)
    {
        using (OpenIdRelyingParty openid = new OpenIdRelyingParty())
        {
            IAuthenticationResponse response = openid.GetResponse();
            if (response != null)
            {
                try
                {
                    Response.Write(response.Exception.ToString());
                }
                catch (Exception)
                {
                }
                return;
            }
        }

        using (OpenIdRelyingParty openid = new OpenIdRelyingParty())
        {
            IAuthenticationRequest request = openid.CreateRequest(@"https://www.google.com/accounts/o8/id");
            request.RedirectToProvider();
        }

    }

Error Message:

DotNetOpenAuth.Messaging.Bindings.ReplayedMessageException: This message has already been processed. This could indicate a replay attack in progress. at DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement.ProcessIncomingMessage(IProtocolMessage message) in c:\TeamCity\buildAgent\work\bf9e2ca68b75a334\src\DotNetOpenAuth\Messaging\Bindings\StandardReplayProtectionBindingElement.cs:line 129 at DotNetOpenAuth.Messaging.Channel.ProcessIncomingMessage(IProtocolMessage message) in c:\TeamCity\buildAgent\work\bf9e2ca68b75a334\src\DotNetOpenAuth\Messaging\Channel.cs:line 990 at DotNetOpenAuth.OpenId.ChannelElements.OpenIdChannel.ProcessIncomingMessage(IProtocolMessage message) in c:\TeamCity\buildAgent\work\bf9e2ca68b75a334\src\DotNetOpenAuth\OpenId\ChannelElements\OpenIdChannel.cs:line 172 at DotNetOpenAuth.Messaging.Channel.ReadFromRequest(HttpRequestInfo httpRequest) in c:\TeamCity\buildAgent\work\bf9e2ca68b75a334\src\DotNetOpenAuth\Messaging\Channel.cs:line 375 at DotNetOpenAuth.OpenId.RelyingParty.OpenIdRelyingParty.GetResponse(HttpRequestInfo httpRequestInfo) in c:\TeamCity\buildAgent\work\bf9e2ca68b75a334\src\DotNetOpenAuth\OpenId\RelyingParty\OpenIdRelyingParty.cs:line 498

Logs:

2010-02-01 14:19:57,238 (GMT-5) [4] INFO  DotNetOpenAuth - DotNetOpenAuth, Version=3.4.0.10015, Culture=neutral, PublicKeyToken=2780ccd10d57b246 (official)
2010-02-01 14:19:57,253 (GMT-5) [4] INFO  DotNetOpenAuth - Reporting will use isolated storage with scope: User, Domain, Assembly
2010-02-01 14:19:57,270 (GMT-5) [4] INFO  DotNetOpenAuth.Messaging.Channel - Scanning incoming request for messages: http://mymachine/OpenIDGizmo/snort.aspx?dnoa.userSuppliedIdentifier=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=[snip4]%3A[snip5]%3A[snip6]&openid.return_to=http%3A%2F%2Fmymachine%2FOpenIDGizmo%2Fsnort.aspx%3Fdnoa.userSuppliedIdentifier%3Dhttps%253A%252F%252Fwww.google.com%252Faccounts%252Fo8%252Fid&openid.assoc_handle=[snip3]&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle&openid.sig=[snip2]%2F[snip7]%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3D[snip1]&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3D[snip1]
2010-02-01 14:19:57,272 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming HTTP request: GET http://mymachine/OpenIDGizmo/snort.aspx?dnoa.userSuppliedIdentifier=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=[snip4]%3A[snip5]%3A[snip6]&openid.return_to=http%3A%2F%2Fmymachine%2FOpenIDGizmo%2Fsnort.aspx%3Fdnoa.userSuppliedIdentifier%3Dhttps%253A%252F%252Fwww.google.com%252Faccounts%252Fo8%252Fid&openid.assoc_handle=[snip3]&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle&openid.sig=[snip2]%2F[snip7]%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3D[snip1]&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3D[snip1]
2010-02-01 14:19:57,360 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming request received: PositiveAssertionResponse
2010-02-01 14:19:57,364 (GMT-5) [4] INFO  DotNetOpenAuth.Messaging.Channel - Processing incoming PositiveAssertionResponse (2.0) message:
    openid.claimed_id: https://www.google.com/accounts/o8/id?id=[snip1]
    openid.identity: https://www.google.com/accounts/o8/id?id=[snip1]
    openid.sig: [snip2]/[snip7]=
    openid.signed: op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle
    openid.assoc_handle: [snip3]
    openid.op_endpoint: https://www.google.com/accounts/o8/ud
    openid.return_to: http://mymachine/OpenIDGizmo/snort.aspx?dnoa.userSuppliedIdentifier=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid
    openid.response_nonce: [snip4]:[snip5]:[snip6]
    openid.mode: id_res
    openid.ns: http://specs.openid.net/auth/2.0
    dnoa.userSuppliedIdentifier: https://www.google.com/accounts/o8/id

2010-02-01 14:19:57,373 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToSignatureBindingElement did not apply to message.
2010-02-01 14:19:57,374 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement did not apply to message.
2010-02-01 14:19:57,376 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Verifying incoming PositiveAssertionResponse message signature of: [snip2]=
2010-02-01 14:19:57,388 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Channel - Preparing to send CheckAuthenticationRequest (2.0) message.
2010-02-01 14:19:57,399 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ExtensionsBindingElement did not apply to message.
2010-02-01 14:19:57,399 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySecurityOptions did not apply to message.
2010-02-01 14:19:57,400 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement did not apply to message.
2010-02-01 14:19:57,400 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToNonceBindingElement did not apply to message.
2010-02-01 14:19:57,401 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToSignatureBindingElement did not apply to message.
2010-02-01 14:19:57,401 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement did not apply to message.
2010-02-01 14:19:57,402 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement did not apply to message.
2010-02-01 14:19:57,402 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement did not apply to message.
2010-02-01 14:19:57,403 (GMT-5) [4] INFO  DotNetOpenAuth.Messaging.Channel - Prepared outgoing CheckAuthenticationRequest (2.0) message for https://www.google.com/accounts/o8/ud: 
    openid.return_to: http://mymachine/OpenIDGizmo/snort.aspx?dnoa.userSuppliedIdentifier=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid
    openid.mode: check_authentication
    openid.ns: http://specs.openid.net/auth/2.0
    openid.claimed_id: https://www.google.com/accounts/o8/id?id=[snip1]
    openid.identity: https://www.google.com/accounts/o8/id?id=[snip1]
    openid.sig: [snip2]=
    openid.signed: op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle
    openid.assoc_handle: [snip3]
    openid.op_endpoint: https://www.google.com/accounts/o8/ud
    openid.response_nonce: [snip4]:[snip5]:[snip6]
    dnoa.userSuppliedIdentifier: https://www.google.com/accounts/o8/id

2010-02-01 14:19:57,403 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Channel - Sending CheckAuthenticationRequest request.
2010-02-01 14:19:57,916 (GMT-5) [4] DEBUG DotNetOpenAuth.Http - HTTP POST https://www.google.com/accounts/o8/ud
2010-02-01 14:19:57,992 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Channel - Received CheckAuthenticationResponse response.
2010-02-01 14:19:57,992 (GMT-5) [4] INFO  DotNetOpenAuth.Messaging.Channel - Processing incoming CheckAuthenticationResponse (2.0) message:
    is_valid: true
    ns: http://specs.openid.net/auth/2.0

2010-02-01 14:19:57,993 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToSignatureBindingElement did not apply to message.
2010-02-01 14:19:57,993 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.BackwardCompatibilityBindingElement did not apply to message.
2010-02-01 14:19:57,993 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement did not apply to message.
2010-02-01 14:19:57,993 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement did not apply to message.
2010-02-01 14:19:57,994 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement did not apply to message.
2010-02-01 14:19:57,995 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ReturnToNonceBindingElement did not apply to message.
2010-02-01 14:19:57,995 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.RelyingPartySecurityOptions did not apply to message.
2010-02-01 14:19:57,997 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.ExtensionsBindingElement did not apply to message.
2010-02-01 14:19:57,997 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Channel - After binding element processing, the received CheckAuthenticationResponse (2.0) message is: 
    is_valid: true
    ns: http://specs.openid.net/auth/2.0

2010-02-01 14:19:57,997 (GMT-5) [4] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement applied to message.

---

web.config:

<?xml version="1.0"?>

<configuration>
  <configSections>
    <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler" requirePermission="false" />
    <section name="uri" type="System.Configuration.UriSection, 
            System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    <section name="dotNetOpenAuth" type="DotNetOpenAuth.Configuration.DotNetOpenAuthSection"
            requirePermission="false" allowLocation="true"/>
  </configSections>

  <uri>
    <idn enabled="All"/>
    <iriParsing enabled="true"/>
  </uri>

  <appSettings/>
  <connectionStrings/>

  <system.web>
    <!-- 
            Set compilation debug="true" to insert debugging 
            symbols into the compiled page. Because this 
            affects performance, set this value to true only 
            during development.
        -->
    <compilation debug="true" />
    <!--
            The <authentication> section enables configuration 
            of the security authentication mode used by 
            ASP.NET to identify an incoming user. 
        -->
    <authentication mode="Windows" />
    <!--
            The <customErrors> section enables configuration 
            of what to do if/when an unhandled error occurs 
            during the execution of a request. Specifically, 
            it enables developers to configure html error pages 
            to be displayed in place of a error stack trace.

        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm" />
            <error statusCode="404" redirect="FileNotFound.htm" />
        </customErrors>
        -->
  </system.web>

  <dotNetOpenAuth>
    <openid maxAuthenticationTime="0:05" cacheDiscovery="true">
      <relyingParty>
        <security
                    requireSsl="false"
                    minimumRequiredOpenIdVersion="V10"
                    minimumHashBitLength="160"
                    maximumHashBitLength="256"
                    requireDirectedIdentity="false"
                    requireAssociation="false"
                    rejectUnsolicitedAssertions="false"
                    rejectDelegatingIdentifiers="false"
                    ignoreUnsignedExtensions="false"
                    privateSecretMaximumAge="07:00:00" />
        <behaviors>
          <!-- <add type="Fully.Qualified.ClassName, Assembly" /> -->
        </behaviors>
        <store type="Fully.Qualified.ClassName, Assembly" />
      </relyingParty>
      <provider>
        <security
                    requireSsl="false"
                    protectDownlevelReplayAttacks="true"
                    minimumHashBitLength="160"
                    maximumHashBitLength="512">
          <associations>
            <add type="HMAC-SHA1" lifetime="14.00:00:00" />
            <add type="HMAC-SHA256" lifetime="14.00:00:00" />
          </associations>
        </security>
        <behaviors>
          <!-- <add type="Fully.Qualified.ClassName, Assembly" /> -->
        </behaviors>
        <store type="Fully.Qualified.ClassName, Assembly" />
      </provider>
      <extensionFactories>
        <add type="FullyQualifiedClass.Implementing.IOpenIdExtensionFactory, Assembly" />
      </extensionFactories>
    </openid>
    <messaging clockSkew="00:10:00" lifetime="00:03:00">
      <untrustedWebRequest
                timeout="00:01:10"
                readWriteTimeout="00:00:21.500"
                maximumBytesToRead="1048576"
                maximumRedirections="10">
        <whitelistHosts>
          <!-- since this is a sample, and will often be used with localhost -->
          <!-- <add name="localhost" /> -->
        </whitelistHosts>
        <whitelistHostsRegex>
          <!-- since this is a sample, and will often be used with localhost -->
          <!-- <add name="\.owndomain\.com$" /> -->
        </whitelistHostsRegex>
        <blacklistHosts>
        </blacklistHosts>
        <blacklistHostsRegex>
        </blacklistHostsRegex>
      </untrustedWebRequest>
    </messaging>
  </dotNetOpenAuth>


  <!-- log4net is a 3rd party (free) logger library that dotnetopenid will use if present but does not require. -->
  <log4net>
    <appender name="RollingFileAppender" type="log4net.Appender.RollingFileAppender">
      <file value="c:\\tmp\\toto\\RelyingParty2.log" />
      <appendToFile value="true" />
      <immediateFlush value="true" />
      <rollingStyle value="Size" />
      <maxSizeRollBackups value="10" />
      <maximumFileSize value="100KB" />
      <staticLogFileName value="true" />
      <layout type="log4net.Layout.PatternLayout">
        <conversionPattern value="%date (GMT%date{%z}) [%thread] %-5level %logger - %message%newline" />
      </layout>
    </appender>
    <appender name="TracePageAppender" type="OpenIdRelyingPartyWebForms.Code.TracePageAppender, OpenIdRelyingPartyWebForms">
      <layout type="log4net.Layout.PatternLayout">
        <conversionPattern value="%date (GMT%date{%z}) [%thread] %-5level %logger - %message%newline" />
      </layout>
    </appender>
    <!-- Setup the root category, add the appenders and set the default level -->
    <root>
      <level value="INFO" />
      <appender-ref ref="RollingFileAppender" />
      <!--<appender-ref ref="TracePageAppender" />-->
    </root>
    <!-- Specify the level for some specific categories -->
    <logger name="DotNetOpenAuth">
      <level value="ALL" />
    </logger>
  </log4net>

</configuration>

Answer 1

In some versions of dotnetopenauth you can also get:

This message has already been processed. This could indicate a replay attack in progress.

if your maxAuthenticationTime value is too low (which is obviously not related to the error in any way - but that is a different issue). I experienced this just today.

To increase this value, edit the config entry as shown at https://github.com/DotNetOpenAuth/DotNetOpenAuth/wiki/Configuration (I suggest setting to 0:10).