Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

FormsAuthentication.Decrypt causes System.Security.Cryptography.CryptographicException: Bad Data Error

0 views
Skip to first unread message

Jim Fiorato

unread,
May 13, 2003, 3:37:45 PM5/13/03
to
Prior to the installation of .NET Framework 1.1, it was possible to create
and encrypt a ticket in one v-directory running as an application, and
decrypt and use that same ticket from another v-directory running as an
application, as long as both applications were the in same domain. Is this
no longer possible in the 1.1 Framework?

The error is very easy to reproduce.
Create a new web application with a web.config file with authentication
mode="forms". Then create a new web form, in this case WebForm1.aspx, with
the following code:

<%
if(IsPostBack) {
FormsAuthenticationTicket myTicket =
FormsAuthentication.Decrypt(Request.Cookies.Get(FormsAuthentication.FormsCoo
kieName).Value);
Response.Write(myTicket.Name);
}
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<title>WebForm1</title>

</HEAD>
<body
<form id="Form1" method="post" runat="server">
<iframe src="integrated/WebForm2.aspx"></iframe>
<asp:Button id="Button1" style="Z-INDEX: 101; LEFT: 139px; POSITION:
absolute; TOP: 218px" runat="server" Text="Button"></asp:Button>
</form>
</body>
</HTML>

Then create a new folder (in my case, I called it "integrated") within that
application and add a web.config file with authentication mode="windows" and
authorization set to deny users="?". Configure this new folder in IIS to
run as an application. Then create a new web form, in this case
WebForm2.aspx, with the following code:

<%
FormsAuthentication.SetAuthCookie(Context.User.Identity.Name, false);
%>

When you run the project, you should get the following error after clicking
on the button to post back.


Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: Bad
Data.

Source Error:


Line 24: // Put user code to initialize the page here
Line 25: if(IsPostBack) {
Line 26: FormsAuthenticationTicket myTicket =
FormsAuthentication.Decrypt(Request.Cookies.Get(FormsAuthentication.FormsCoo
kieName).Value);
Line 27: Response.Write(myTicket.Name);
Line 28: }


Any help is appreciated.

Jim


Jim Fiorato

unread,
May 14, 2003, 10:19:29 AM5/14/03
to
I found the answer to this one.

Very good document here about changes to the Framwork for 1.1.
http://www.gotdotnet.com/team/changeinfo/default.aspx

In specific, my problem:
Title Autogenerated ASP.NET forms authentication and viewstate keys
are now isolated per application by default.
Area Asp.NET
Affected APIs The ASP.NET Forms authentication feature as a whole when
using autogenerated keys. This includes:
FormsAuthentication.RedirectFromLoginPage // all
FormsAuthentication.SetAuthCookie // all
FormsAuthentication.GetAuthCookie // all
FormsAuthentication.Encrypt // all
FormsAuthentication.Decrypt // all
Description When using forms authentication across applications with
the default <machineKey> section in machine.config, applications are now
isolated and will not share forms authentication or viewstate keys.
This is due to the presence of a new modifier on the validationKey and
decryptionKey attributes called "IsolateApps". When this key is present, the
application identity is used a part of the key modifier so that keys are not
shared across applications. This was done to make it easier to configure
isolated applications on shared servers.
Note that if applications contain an explicit value for these
attributes in the web.config (this is required for Web farm deployments),
then this is not an issue and the configured value will be used. Similarly,
if an application has an explicit <machineKey> section in a local web.config
file set to autogenerate, then that application will not use the new
modifier.
Note also that applications that have explicit values configured for
the <machineKey> section in web.config will not see a change in behavior on
these APIs. This applies only to applications that inherit the default
machine.config <machineKey> section for these values.
Workaround Configure an explicit key in a local web.config or in
machine.config or remove the "IsolateApps" modifier from the attribute. With
the modifier removed, the .NET Framework version 1.0 behavior will be
identical. Note that only applications that want to share forms
authentication cookies across applications are affected by this change.

"Jim Fiorato" <jfio...@hotmail.com> wrote in message
news:eUR%23hcYGD...@tk2msftngp13.phx.gbl...

0 new messages