"Padding is invalid" error message

We are hosting two copies of the same application on the same server in IIS.  Each copy is set up in IIS with a virtual directory and separate application pools, and use NT authentication security.  The two versions have different web.config configurations to enable testing of a read-only and editable version of a .net web based application.  When you move between the two applications in the same IE window the following error is produced on the second site you visit:

Padding is invalid and cannot be removed.
   at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
   at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
   at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
   at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Boolean useValidationSymAlgo)
   at System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket)
   at Security.GetAuthTicket()
   at Security.IsUserAuthenticated(String ConnectionString)
   at _Default.Page_Load(Object sender, EventArgs e)
   at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
   at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
   at System.Web.UI.Control.OnLoad(EventArgs e)
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

The problem usually goes away if you logout of one site and then navigate to the other, or open the second site in a new IE window, but entering the URL of the second site whilst logged into the first produces the above error.

The only method that uses the Decrypt method is as follows, however there is no error location in the above error:

    public static FormsAuthenticationTicket GetAuthTicket()
    {
        // Extract the forms authentication cookie
        string zpCookieName = FormsAuthentication.FormsCookieName;
        HttpCookie opAuthCookie = HttpContext.Current.Request.Cookies[zpCookieName];

        if (opAuthCookie == null)
        {
            // There is no authentication cookie.
            return null;
        }

        FormsAuthenticationTicket opAuthTicket = null;

        opAuthTicket = FormsAuthentication.Decrypt(opAuthCookie.Value);

        if (opAuthTicket == null)
        {
            // Cookie failed to decrypt.
            throw new Exception("Could not decrypt authentication ticket");
        }
        else
        {
            return opAuthTicket;
        }
    }
LVL 1
SamDorlingAsked:
Who is Participating?
 
Göran AnderssonConnect With a Mentor Commented:
The problem is that the applications have the same domain name, so they share the cookies. Specify the path when you create the cookies, so that each cookie is local to the directory.
ticket.Path = Request.Path.Substring(0, Request.Path.LastIndexOf('/'));

Open in new window

0
 
SamDorlingAuthor Commented:
Thanks for the prompt response, GreenGhost.  Setting the ".Path" property of the Cookie object did fix our problem.

Just as a side-note, we did also append a forward slash to the end of the "Path" property, e.g. our two virtual directories were:

http://ServerName/Application
http://ServerName/ApplicationReadOnly

Switching from the "ApplicationReadOnly" to "Application" still produced the "Padding is invalid" message, and it seemed to be because "/Application" partially matches "/ApplicationReadOnly", so by adding a forward slash to the end of the ".Path" property, the name is completely unique.  This seemed a bit strange, but must be some sort of security feature for cookies.
0
 
Göran AnderssonCommented:
I see. Then it seems that the path is matched against the requested url without parsing the separete folders. This is probably not very common knowledge, as this is the example code for the HttpCookie.Path property in MSDN Library:

MyCookie.Path = "/asp";

That code would have the same potential problem as you are describing.

As a side not to the side note ;)
You could just leave the slash, instead of excluding it and adding another:

ticket.Path = Request.Path.Substring(0, Request.Path.LastIndexOf('/') + 1);
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.