Re: FormsAuthentication.Decrypt causes System.Security.Cryptography.CryptographicException: Bad Data Error

From: Jim Fiorato (nospamjfiorato_at_hotmail.com)
Date: 05/14/03


Date: Wed, 14 May 2003 09:19:29 -0500


I found the answer to this one.

Very good document here about changes to the Framwork for 1.1.
http://www.gotdotnet.com/team/changeinfo/default.aspx

In specific, my problem:
      Title Autogenerated ASP.NET forms authentication and viewstate keys
are now isolated per application by default.
      Area Asp.NET
      Affected APIs The ASP.NET Forms authentication feature as a whole when
using autogenerated keys. This includes:
      FormsAuthentication.RedirectFromLoginPage // all
      FormsAuthentication.SetAuthCookie // all
      FormsAuthentication.GetAuthCookie // all
      FormsAuthentication.Encrypt // all
      FormsAuthentication.Decrypt // all
      Description When using forms authentication across applications with
the default <machineKey> section in machine.config, applications are now
isolated and will not share forms authentication or viewstate keys.
      This is due to the presence of a new modifier on the validationKey and
decryptionKey attributes called "IsolateApps". When this key is present, the
application identity is used a part of the key modifier so that keys are not
shared across applications. This was done to make it easier to configure
isolated applications on shared servers.
      Note that if applications contain an explicit value for these
attributes in the web.config (this is required for Web farm deployments),
then this is not an issue and the configured value will be used. Similarly,
if an application has an explicit <machineKey> section in a local web.config
file set to autogenerate, then that application will not use the new
modifier.
      Note also that applications that have explicit values configured for
the <machineKey> section in web.config will not see a change in behavior on
these APIs. This applies only to applications that inherit the default
machine.config <machineKey> section for these values.
      Workaround Configure an explicit key in a local web.config or in
machine.config or remove the "IsolateApps" modifier from the attribute. With
the modifier removed, the .NET Framework version 1.0 behavior will be
identical. Note that only applications that want to share forms
authentication cookies across applications are affected by this change.

"Jim Fiorato" <jfiorato@hotmail.com> wrote in message
news:eUR%23hcYGDHA.4048@tk2msftngp13.phx.gbl...
> Prior to the installation of .NET Framework 1.1, it was possible to create
> and encrypt a ticket in one v-directory running as an application, and
> decrypt and use that same ticket from another v-directory running as an
> application, as long as both applications were the in same domain. Is
this
> no longer possible in the 1.1 Framework?
>
> The error is very easy to reproduce.
> Create a new web application with a web.config file with authentication
> mode="forms". Then create a new web form, in this case WebForm1.aspx,
with
> the following code:
>
> <%
> if(IsPostBack) {
> FormsAuthenticationTicket myTicket =
>
FormsAuthentication.Decrypt(Request.Cookies.Get(FormsAuthentication.FormsCoo
> kieName).Value);
> Response.Write(myTicket.Name);
> }
> %>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
> <HTML>
> <HEAD>
> <title>WebForm1</title>
>
> </HEAD>
> <body
> <form id="Form1" method="post" runat="server">
> <iframe src="integrated/WebForm2.aspx"></iframe>
> <asp:Button id="Button1" style="Z-INDEX: 101; LEFT: 139px; POSITION:
> absolute; TOP: 218px" runat="server" Text="Button"></asp:Button>
> </form>
> </body>
> </HTML>
>
> Then create a new folder (in my case, I called it "integrated") within
that
> application and add a web.config file with authentication mode="windows"
and
> authorization set to deny users="?". Configure this new folder in IIS to
> run as an application. Then create a new web form, in this case
> WebForm2.aspx, with the following code:
>
> <%
> FormsAuthentication.SetAuthCookie(Context.User.Identity.Name, false);
> %>
>
> When you run the project, you should get the following error after
clicking
> on the button to post back.
>
>
> Description: An unhandled exception occurred during the execution of the
> current web request. Please review the stack trace for more information
> about the error and where it originated in the code.
>
> Exception Details: System.Security.Cryptography.CryptographicException:
Bad
> Data.
>
> Source Error:
>
>
> Line 24: // Put user code to initialize the page here
> Line 25: if(IsPostBack) {
> Line 26: FormsAuthenticationTicket myTicket =
>
FormsAuthentication.Decrypt(Request.Cookies.Get(FormsAuthentication.FormsCoo
> kieName).Value);
> Line 27: Response.Write(myTicket.Name);
> Line 28: }
>
>
> Any help is appreciated.
>
> Jim
>
>