Solved

"Padding is invalid" error message

Posted on 2007-12-03
3
1,084 Views
Last Modified: 2010-04-21
We are hosting two copies of the same application on the same server in IIS.  Each copy is set up in IIS with a virtual directory and separate application pools, and use NT authentication security.  The two versions have different web.config configurations to enable testing of a read-only and editable version of a .net web based application.  When you move between the two applications in the same IE window the following error is produced on the second site you visit:

Padding is invalid and cannot be removed.
   at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
   at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
   at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
   at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Boolean useValidationSymAlgo)
   at System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket)
   at Security.GetAuthTicket()
   at Security.IsUserAuthenticated(String ConnectionString)
   at _Default.Page_Load(Object sender, EventArgs e)
   at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
   at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
   at System.Web.UI.Control.OnLoad(EventArgs e)
   at System.Web.UI.Control.LoadRecursive()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

The problem usually goes away if you logout of one site and then navigate to the other, or open the second site in a new IE window, but entering the URL of the second site whilst logged into the first produces the above error.

The only method that uses the Decrypt method is as follows, however there is no error location in the above error:

    public static FormsAuthenticationTicket GetAuthTicket()
    {
        // Extract the forms authentication cookie
        string zpCookieName = FormsAuthentication.FormsCookieName;
        HttpCookie opAuthCookie = HttpContext.Current.Request.Cookies[zpCookieName];

        if (opAuthCookie == null)
        {
            // There is no authentication cookie.
            return null;
        }

        FormsAuthenticationTicket opAuthTicket = null;

        opAuthTicket = FormsAuthentication.Decrypt(opAuthCookie.Value);

        if (opAuthTicket == null)
        {
            // Cookie failed to decrypt.
            throw new Exception("Could not decrypt authentication ticket");
        }
        else
        {
            return opAuthTicket;
        }
    }
0
Comment
Question by:SamDorling
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 29

Accepted Solution

by:
Göran Andersson earned 500 total points
ID: 20394553
The problem is that the applications have the same domain name, so they share the cookies. Specify the path when you create the cookies, so that each cookie is local to the directory.
ticket.Path = Request.Path.Substring(0, Request.Path.LastIndexOf('/'));

Open in new window

0
 
LVL 1

Author Closing Comment

by:SamDorling
ID: 31427346
Thanks for the prompt response, GreenGhost.  Setting the ".Path" property of the Cookie object did fix our problem.

Just as a side-note, we did also append a forward slash to the end of the "Path" property, e.g. our two virtual directories were:

http://ServerName/Application
http://ServerName/ApplicationReadOnly

Switching from the "ApplicationReadOnly" to "Application" still produced the "Padding is invalid" message, and it seemed to be because "/Application" partially matches "/ApplicationReadOnly", so by adding a forward slash to the end of the ".Path" property, the name is completely unique.  This seemed a bit strange, but must be some sort of security feature for cookies.
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 20395044
I see. Then it seems that the path is matched against the requested url without parsing the separete folders. This is probably not very common knowledge, as this is the example code for the HttpCookie.Path property in MSDN Library:

MyCookie.Path = "/asp";

That code would have the same potential problem as you are describing.

As a side not to the side note ;)
You could just leave the slash, instead of excluding it and adding another:

ticket.Path = Request.Path.Substring(0, Request.Path.LastIndexOf('/') + 1);
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have developed many web applications with asp & asp.net and to add and use a dropdownlist was always a very simple task, but with the new asp.net, setting the value is a bit tricky and its not similar to the old traditional method. So in this a…
The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question