Solved

"Padding is invalid" error message

Posted on 2007-12-03
3
1,088 Views
Last Modified: 2010-04-21
We are hosting two copies of the same application on the same server in IIS.  Each copy is set up in IIS with a virtual directory and separate application pools, and use NT authentication security.  The two versions have different web.config configurations to enable testing of a read-only and editable version of a .net web based application.  When you move between the two applications in the same IE window the following error is produced on the second site you visit:

Padding is invalid and cannot be removed.
   at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
   at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
   at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
   at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Boolean useValidationSymAlgo)
   at System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket)
   at Security.GetAuthTicket()
   at Security.IsUserAuthenticated(String ConnectionString)
   at _Default.Page_Load(Object sender, EventArgs e)
   at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
   at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
   at System.Web.UI.Control.OnLoad(EventArgs e)
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

The problem usually goes away if you logout of one site and then navigate to the other, or open the second site in a new IE window, but entering the URL of the second site whilst logged into the first produces the above error.

The only method that uses the Decrypt method is as follows, however there is no error location in the above error:

    public static FormsAuthenticationTicket GetAuthTicket()
    {
        // Extract the forms authentication cookie
        string zpCookieName = FormsAuthentication.FormsCookieName;
        HttpCookie opAuthCookie = HttpContext.Current.Request.Cookies[zpCookieName];

        if (opAuthCookie == null)
        {
            // There is no authentication cookie.
            return null;
        }

        FormsAuthenticationTicket opAuthTicket = null;

        opAuthTicket = FormsAuthentication.Decrypt(opAuthCookie.Value);

        if (opAuthTicket == null)
        {
            // Cookie failed to decrypt.
            throw new Exception("Could not decrypt authentication ticket");
        }
        else
        {
            return opAuthTicket;
        }
    }
0
Comment
Question by:SamDorling
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 29

Accepted Solution

by:
Göran Andersson earned 500 total points
ID: 20394553
The problem is that the applications have the same domain name, so they share the cookies. Specify the path when you create the cookies, so that each cookie is local to the directory.
ticket.Path = Request.Path.Substring(0, Request.Path.LastIndexOf('/'));

Open in new window

0
 
LVL 1

Author Closing Comment

by:SamDorling
ID: 31427346
Thanks for the prompt response, GreenGhost.  Setting the ".Path" property of the Cookie object did fix our problem.

Just as a side-note, we did also append a forward slash to the end of the "Path" property, e.g. our two virtual directories were:

http://ServerName/Application
http://ServerName/ApplicationReadOnly

Switching from the "ApplicationReadOnly" to "Application" still produced the "Padding is invalid" message, and it seemed to be because "/Application" partially matches "/ApplicationReadOnly", so by adding a forward slash to the end of the ".Path" property, the name is completely unique.  This seemed a bit strange, but must be some sort of security feature for cookies.
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 20395044
I see. Then it seems that the path is matched against the requested url without parsing the separete folders. This is probably not very common knowledge, as this is the example code for the HttpCookie.Path property in MSDN Library:

MyCookie.Path = "/asp";

That code would have the same potential problem as you are describing.

As a side not to the side note ;)
You could just leave the slash, instead of excluding it and adding another:

ticket.Path = Request.Path.Substring(0, Request.Path.LastIndexOf('/') + 1);
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question