Solved

"Padding is invalid" error message

Posted on 2007-12-03
3
1,081 Views
Last Modified: 2010-04-21
We are hosting two copies of the same application on the same server in IIS.  Each copy is set up in IIS with a virtual directory and separate application pools, and use NT authentication security.  The two versions have different web.config configurations to enable testing of a read-only and editable version of a .net web based application.  When you move between the two applications in the same IE window the following error is produced on the second site you visit:

Padding is invalid and cannot be removed.
   at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
   at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
   at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
   at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Boolean useValidationSymAlgo)
   at System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket)
   at Security.GetAuthTicket()
   at Security.IsUserAuthenticated(String ConnectionString)
   at _Default.Page_Load(Object sender, EventArgs e)
   at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
   at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
   at System.Web.UI.Control.OnLoad(EventArgs e)
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

The problem usually goes away if you logout of one site and then navigate to the other, or open the second site in a new IE window, but entering the URL of the second site whilst logged into the first produces the above error.

The only method that uses the Decrypt method is as follows, however there is no error location in the above error:

    public static FormsAuthenticationTicket GetAuthTicket()
    {
        // Extract the forms authentication cookie
        string zpCookieName = FormsAuthentication.FormsCookieName;
        HttpCookie opAuthCookie = HttpContext.Current.Request.Cookies[zpCookieName];

        if (opAuthCookie == null)
        {
            // There is no authentication cookie.
            return null;
        }

        FormsAuthenticationTicket opAuthTicket = null;

        opAuthTicket = FormsAuthentication.Decrypt(opAuthCookie.Value);

        if (opAuthTicket == null)
        {
            // Cookie failed to decrypt.
            throw new Exception("Could not decrypt authentication ticket");
        }
        else
        {
            return opAuthTicket;
        }
    }
0
Comment
Question by:SamDorling
  • 2
3 Comments
 
LVL 29

Accepted Solution

by:
Göran Andersson earned 500 total points
ID: 20394553
The problem is that the applications have the same domain name, so they share the cookies. Specify the path when you create the cookies, so that each cookie is local to the directory.
ticket.Path = Request.Path.Substring(0, Request.Path.LastIndexOf('/'));

Open in new window

0
 
LVL 1

Author Closing Comment

by:SamDorling
ID: 31427346
Thanks for the prompt response, GreenGhost.  Setting the ".Path" property of the Cookie object did fix our problem.

Just as a side-note, we did also append a forward slash to the end of the "Path" property, e.g. our two virtual directories were:

http://ServerName/Application
http://ServerName/ApplicationReadOnly

Switching from the "ApplicationReadOnly" to "Application" still produced the "Padding is invalid" message, and it seemed to be because "/Application" partially matches "/ApplicationReadOnly", so by adding a forward slash to the end of the ".Path" property, the name is completely unique.  This seemed a bit strange, but must be some sort of security feature for cookies.
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 20395044
I see. Then it seems that the path is matched against the requested url without parsing the separete folders. This is probably not very common knowledge, as this is the example code for the HttpCookie.Path property in MSDN Library:

MyCookie.Path = "/asp";

That code would have the same potential problem as you are describing.

As a side not to the side note ;)
You could just leave the slash, instead of excluding it and adding another:

ticket.Path = Request.Path.Substring(0, Request.Path.LastIndexOf('/') + 1);
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
User art_snob (http://www.experts-exchange.com/M_6114203.html) encountered strange behavior of Android Web browser on his Mobile Web site. It took a while to find the true cause. It happens so, that the Android Web browser (at least up to OS ver. 2.…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question